From a747530268892a62491ed1f1e609f12bef07736a Mon Sep 17 00:00:00 2001 From: Jean-Philippe Pialasse Date: Thu, 11 Sep 2025 00:03:08 -0400 Subject: [PATCH] * Thu Sep 30 2021 John Crisp 0.84-12.sme - Attempt to fix the final reload after CA creation [SME: 11192] --- phpki.spec | 341 +++++- root/.gitignore | 1 + root/.htaccess | 6 + root/CHANGELOG | 16 + root/Makefile | 9 +- root/{README => README.md} | 52 +- root/about.php | 17 +- root/admin/index.php | 201 ++-- root/ca/help.php | 4 +- root/ca/index.php | 1 - root/ca/main.php | 224 ++-- root/ca/manage_certs.php | 673 ++++++------ root/ca/policy.html | 112 +- root/ca/request_cert.php | 589 ++++++---- root/config.php | 3 +- root/css/style.css | 347 +++--- root/gen_crl.php | 8 +- root/help.php | 14 +- root/help/PKI_basics.html | 68 +- root/help/cacert_install_ie.html | 64 +- root/help/glossary.html | 269 ++--- root/help/usercert_install_ie.html | 79 +- root/include/common.php | 225 ++-- root/include/my_functions.php | 325 ++++-- root/include/openssl_functions.php | 1111 ++++++++++--------- root/index.php | 0 root/main.php | 94 +- root/ns_revoke_query.php | 27 +- root/openssl.cnf | 4 +- root/policy.html | 17 +- root/readme.php | 3 +- root/search.php | 195 ++-- root/secure.sh | 11 +- root/setup.php | 0 root/setup.php-presetup | 1603 +++++++++++++++++----------- 35 files changed, 3917 insertions(+), 2796 deletions(-) create mode 100644 root/.htaccess rename root/{README => README.md} (71%) mode change 120000 => 100644 root/index.php mode change 100755 => 100644 root/secure.sh mode change 120000 => 100644 root/setup.php diff --git a/phpki.spec b/phpki.spec index 4e9c67b..8073ad2 100644 --- a/phpki.spec +++ b/phpki.spec @@ -1,55 +1,336 @@ -%define name phpki -%define version 1.0 -%define release 1 -Summary: This is what phpki does. -Name: %{name} -Version: %{version} -Release: %{release}%{?dist} -Source: %{name}-%{version}.tar.gz -License: GNU GPL version 2 -Group: SMEserver/addon -BuildRoot: %{_tmppath}/%{name}-buildroot -Prefix: %{_prefix} -BuildArchitectures: noarch -BuildRequires: smeserver-devtools -Requires: smeserver-release >= 11.0 -AutoReqProv: no +# $Id: phpki-ng.spec,v 1.4 2018/11/17 13:20:42 jcrisp Exp $ +# Authority: vip-ire +# Name: Daniel Berteaud + +%define name phpki +%define version 0.84 +%define release 12 +Summary: Phpki is a simple certificate management suite +Name: %{name} +Version: %{version} +Release: %{release}%{?dist} +License: GNU GPL version 2 +URL: http://sourceforge.net/projects/phpki/ +Group: SMEserver/addon +#wget http://www.fooweb.com/downloads/foo-3.6.431.tar.gz +Source: %{name}-%{version}.tar.gz +Patch1: phpki-ng-0.84-fix-for-php74-code-tidy.patch +Patch2: phpki-ng-0.84-fix-pregmatch-revoke-certs.patch +Patch3: phpki-ng-0.84-fix-crl.patch +Patch4: phpki-ng-0.84-fix-missing-slash-certtype-detection.patch +Patch5: phpki-ng-0.84-fix-html-directory-check.patch +Patch6: phpki-ng-0.84-fix-download-cert.patch +Patch7: phpki-ng-0.84-fix-html-syntax-in-help.patch +Patch8: phpki-ng-0.84-fix-final-redirect.patch + +BuildArch: noarch +BuildRoot: /var/tmp/%{name}-%{version} + +BuildRequires: e-smith-devtools + +Requires: e-smith-release >= 10.0 +Requires: php74-php-fpm +Requires: openssl +Requires: openvpn +Provides: phpki-ng +AutoReqProv: no %description -phki fork of unmaintained project with our patches. +http://sourceforge.net/projects/phpki/ +https://github.com/radicand/phpki +https://github.com/reetp/phpki +PHPki is an Open Source Web application for managing a multi-agency PKI for HIPAA compliance. +With it, you may create and centrally manage X.509 certificates for use with S/MIME enabled +e-mail clients, SSL servers, and VPN applications. %changelog -* Day MMMM DD YYYY 1.0-1.sme -- Initial code - create RPM [SME:99999] +* Thu Sep 30 2021 John Crisp 0.84-12.sme +- Attempt to fix the final reload after CA creation [SME: 11192] + +* Thu Aug 05 2021 John Crisp 0.84-11.sme +- Fix html syntax error in help - Thanks Mauro De Carolis [SME: 11688] + +* Tue Apr 06 2021 John Crisp 0.84-10.sme +- And tidy up the copying wording. [SME: 11192] +- Credit to Terry Fage for persisting with testing + +* Mon Apr 05 2021 John Crisp 0.84-9.sme +- Really fix the copy this time [SME: 11192] + +* Sat Apr 03 2021 John Crisp 0.84-8.sme +- copy phpki-store as a backup instead of move [SME: 11192] + +* Thu Apr 01 2021 John Crisp 0.84-7.sme +- Fix broken Download Certificate in Cert generation [SME: 11513] + +* Thu Mar 18 2021 John Crisp 0.84-6.sme +- Update html header info [SME: 11192] +- Remove obsolete align +- Remove accidentally duplicated html +- Fix typo +- Fix directory check +- move function flush_exec to functions file + +* Tue Mar 09 2021 John Crisp 0.84-5.sme +- Fix missing / [SME:11435] +- Update cert type detection for renew [SME: 11436] +- Code formatting + +* Mon Mar 08 2021 John Crisp 0.84-4.sme +- Fix crl creation [SME: 11141] +- Extra notes in setup page + +* Mon Mar 08 2021 John Crisp 0.84-3.sme +- Fix Typo in certificate password [SME: 11435] +- Fix typos and preg_match issues [SME: 11436] +- Add Certificate creation notification [SME: 11437] +- Bit of file formatting + +* Wed Mar 03 2021 John Crisp 0.84-2.sme +- Change version to 0.84 +- Fix undefined constant errors [SME: 11397] +- fix tempdir [SME: 11398] +- update code to be PHP 7.4+ compliant +- format with CodeSniff to PSR2 + +* Wed Apr 01 2020 John Crisp 0.84-1.sme +- Rename to php-ng 0.84 [SME: 11192] +- Fix date sorting in certificates + +* Thu Mar 19 2020 John Crisp 0.83-9.sme +- Update DH to 2048 + +* Mon Mar 09 2020 John Crisp 0.83-8.sme +- move warning and exit to %pre + +* Sat Mar 07 2020 John Crisp 0.83-7.sme +- Lots of formatting - adding quotes to items and tidying up +- set default md to 512 + +* Wed Mar 04 2020 John Crisp 0.83-6.sme +- Fix renew-cert +- revert DH setup so you can see progress + +* Wed Mar 04 2020 John Crisp 0.83-5.sme +- Fix create cert without password + +* Wed Mar 04 2020 John Crisp 0.83-4.sme +- Fix openvpn error + +* Tue Mar 03 2020 John Crisp 0.83-3.sme +- more fixes + +* Sat Feb 29 2020 John Crisp 0.83-2.sme +- small fixes + +* Fri Feb 28 2020 John Crisp 0.83-1.sme +- Update to 0.83 + +* Sat Nov 17 2018 Terry Fage 0.82-19.sme +- Fix preg_match warnings [SME:10622] + +* Mon Oct 8 2018 Daniel B. 0.82-18.sme +- Fix potential XSS with unsafe use of PHP_SELF [SME: 10626] + +* Thu Sep 6 2018 brian r. 0.82-17.sme +- Replace use of ereg by preg_replace as per deprecated in php 5.3 and removed in 7.0 +- [SME: 10622] + +* Mon Dec 12 2011 Daniel B. 0.82-16.sme +- Remove php-posix dependency (not available, nor needed on SME 7.x) [SME: 6805] + +* Wed Oct 26 2011 Daniel B. 0.82-15.sme +- Requires php-posix + +* Wed Jun 29 2011 Daniel B. 0.82-14.sme +- Don't check issuer (everyone allowed to access /ca can manage + all the certificates, access to /ca is controlled by apache) + +* Tue Mar 15 2011 Daniel B. 0.82-13.sme +- Replace md5 with sha1 for signing + +* Fri May 28 2010 Daniel B. [0.82-12] +- Weekly update the CRL via cron so MS Crypto API will be happy + +* Thu Mar 18 2010 Daniel B. [0.82-11] +- Fixe empty password with PHP 5.2 (SME 8b5) + +* Wed Aug 26 2009 Daniel B. [0.82-10] +- Fixe links for CA help page + +* Mon Mar 23 2009 Daniel B. [0.82-9] +- Remove links after uninstall so you can easily re-install the contrib + later [SME: 5091] + +* Tue Mar 03 2009 Daniel B. [0.82-8] +- Add e-smith-devtools as a dependencie + +* Tue Jan 20 2009 Daniel B. [0.82-7] +- Don't replace config file on upgrades + +* Wed Jan 07 2009 Daniel B. [0.82-6] +- Remove the email address from the file name during upload (in search page) +- Remove secure.sh script + +* Tue Dec 16 2008 Daniel B. [0.82-5] +- Link index.php to setup-presetup.php + +* Mon Dec 08 2008 Daniel B. [0.82-4] +- Changes so certificates imported from openvpn-bridge are recognized +- Configure default admin user to 'admin' +- Create a static key for OpenVPN TLS auth (requires openvpn) +- Add expirey values (3 Months, 6 Months) +- Display or download takey.pem and dhparam1024.pem from + the certificate management menue +- Display the Root certificate in PEM format +- Possibility to download the CRL in PEM format +- Remove the email address from the file name during upload +- Disable download of certificate after creating a new one +- Remove security warning after setup + +* Fri Dec 05 2008 Daniel B. [0.82-3] +- Correct extension name for email_signing certificates +- Remove links, and recreate them in the %post section so upgrade can be done smoothly + +* Wed Nov 26 2008 Daniel B. [0.82-0] +- initial release +- builds from unchanged .tar.gz %prep - -%setup -q +%setup -c -n %{name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 %build -perl createlinks +%{__mkdir_p} root/opt/phpki/html +%{__mkdir_p} root/opt/phpki/phpki-store +%{__mkdir_p} root/opt/phpki/bin +%{__mkdir_p} root/%{_sysconfdir}/cron.weekly/ +%{__mv} %{name}-%{version}/gen_crl.php root/opt/phpki/bin/ +%{__mv} %{name}-%{version}/* root/opt/phpki/html/ + + +cat <<"HERE" > root/%{_sysconfdir}/cron.weekly/phpki_update_crl +#!/bin/bash + +cd /opt/phpki/bin +/usr/bin/php74 ./gen_crl.php 2>&1 > /dev/null + +HERE + + +# Remove links to setup page so upgrades can be done smoothly +%{__rm} -f root/opt/phpki/html/index.php +%{__rm} -f root/opt/phpki/html/ca/index.php +%{__rm} -f root/opt/phpki/html/setup.php + +# This script shouldn't be here +%{__rm} -f root/opt/phpki/html/secure.sh + %install rm -rf $RPM_BUILD_ROOT (cd root ; find . -depth -print | cpio -dump $RPM_BUILD_ROOT) rm -f %{name}-%{version}-filelist /sbin/e-smith/genfilelist $RPM_BUILD_ROOT \ -> %{name}-%{version}-filelist -#echo "%doc COPYING" >> %{name}-%{version}-filelist -#--dir 'attr(755,user,grp)' \ -#--file 'attr(755,root,root)' \ + --file '/opt/phpki/html/config.php' 'attr(660,root,phpki) %config(noreplace)' \ + --file '/opt/phpki/html/openssl.cnf' 'attr(660,root,phpki) %config(noreplace)' \ + --file '%{_sysconfdir}/cron.weekly/phpki_update_crl' 'attr(744,root,root)' \ + --dir '/opt/phpki/html' 'attr(770,root,phpki)' \ + --dir '/opt/phpki/html/ca' 'attr(770,root,phpki)' \ + --dir '/opt/phpki/phpki-store' 'attr(750,phpki,phpki)' \ + > %{name}-%{version}-filelist + +%files -f %{name}-%{version}-filelist +%defattr(-,root,root) %clean cd .. -rm -rf %{name}-%{version} +rm -rf $RPM_BUILD_ROOT %pre +if ! /usr/bin/id phpki &>/dev/null; then + echo "Creating phpki user" + /usr/sbin/useradd -c 'Phpki User' -s /sbin/nologin -r -d /opt/phpki/phpki-store phpki &>/dev/null || \ + %logmsg "Unexpected error adding user \"phpki\". Abort installation." +fi + +echo "******************************************************" +echo "* " +echo "* !!! IMPORTANT - READ THIS NOW !!! " +echo "* " +echo "******************************************************" +echo "* This contrib now has higher levels of encryption" +echo "* " +echo "* We cannot upgrade your existing certificates" +echo "* existing certificates from SME9 or below have either " +echo "* md5WithRSAEncryption sha1WithRSAEncryption" +echo "* as Signature Algorithm (weak)." +echo "* only way to update to sha256 or sha512 is to " +echo "* start from scratch." +echo "* " +echo "* If you have existing certificates you want to use" +echo "* then start with a new CA, backup up, and then restore" +echo "* your phpki-store directory in /opt/phpki" +echo "* " +echo "******************************************************" +echo "" + +if [ -d /opt/phpki/phpki-store ] ; then + echo "Backing up your /opt/phpki/phpki-store" + today=$(date "+%Y%m%d%H%M") + echo "Copying from /opt/phpki/phpki-store to /opt/phpki/phpki-store.$today" + /bin/cp -pr /opt/phpki/phpki-store "/opt/phpki/phpki-store.$today" + echo "Directory copied... continuing to install" + # fix missing md_default + if ( grep default_md /opt/phpki/phpki-store/config/config.php -q ); then + echo "md_default OK" + else + echo "default_md missing in /opt/phpki/phpki-store/config/config.php" + echo "getting value from /opt/phpki/phpki-store/config/openssl.cnf" + # it could ba acceptable to hash sha256 a certificate from a root with sha1. + defaultmd=$(awk '/^default_md/{print $NF}' /opt/phpki/phpki-store/config/openssl.cnf || echo "sha512") + echo "inserting $defaultmd default_md at end of /opt/phpki/phpki-store/config/config.php" + sed -i '/\?>/i \ + # Define default md \ + \$config['default_md'] = "'$defaultmd'";' /opt/phpki/phpki-store/config/config.php + echo "Done... continuing to install" + fi +else + echo "No directory detected... continuing to install" +fi + %preun + %post +# First install, point index.php to setup.php +if [ $1 == 1 ]; then + #do not do if there is already a CA (restore from backup)) + if [ ! -f /opt/phpki/phpki-store/config/config.php ] ; then + %{__ln_s} /opt/phpki/html/setup.php-presetup /opt/phpki/html/index.php + %{__ln_s} /opt/phpki/html/setup.php-presetup /opt/phpki/html/setup.php + fi + echo " +" > /opt/phpki/html/ca/index.php +fi + %postun -#uninstall -%files -f %{name}-%{version}-filelist -%defattr(-,root,root) +# Remove the links to index.php after uninstall +if [ $1 == 0 ]; then + %{__rm} -f /opt/phpki/html/index.php + %{__rm} -f /opt/phpki/html/setup.php + %{__rm} -f /opt/phpki/html/ca/index.php +fi + +true diff --git a/root/.gitignore b/root/.gitignore index e69de29..423c72c 100644 --- a/root/.gitignore +++ b/root/.gitignore @@ -0,0 +1 @@ +*.komodoproject \ No newline at end of file diff --git a/root/.htaccess b/root/.htaccess new file mode 100644 index 0000000..42257ce --- /dev/null +++ b/root/.htaccess @@ -0,0 +1,6 @@ +Options FollowSymLinks +php_flag register_globals off +php_flag register_long_arrays on +AddType application/x-x509-ca-cert .crt .pem +AddType application/pkix-crl .crl +AddType application/pkix-cert .cer .der diff --git a/root/CHANGELOG b/root/CHANGELOG index 2bb2b4e..da91ca6 100644 --- a/root/CHANGELOG +++ b/root/CHANGELOG @@ -118,3 +118,19 @@ v0.82 (possibly final release) - Fixed chown in secure.sh for FreeBSD compatibility. - Fixed quote mismatch in ca/help.php - Added support for time stamping certificates, Idea by Sebastien Bahlol. + +v0.83 (bugfix) +- Converted deprecated HTTP_SERVER_VARS to _SERVER +- Fixed emailcodesigning error in openssl_functions.php +- Fixed failure to create httpasswd file in secure.sh +- Fixed false positives when detecting if requested email certificate already exists +- Added support for 4 character TLD in email address +- Added support for short term certificates (1,3,6 months) + +v0.84 (updates and fixes) +- Merge v0.83/radicand/SME v0.82 +- Add OpenVPN capability if installed +- Lots of code formatting +- Tidy dangling html tags +- Sanitise some vars +- Standardise some vars diff --git a/root/Makefile b/root/Makefile index 55360c8..e280a81 100644 --- a/root/Makefile +++ b/root/Makefile @@ -1,4 +1,4 @@ -VERSION = 0.82 +VERSION = 0.83 UID = $(shell id -u) GID = $(shell id -g) @@ -22,10 +22,10 @@ distclean: clean echo -e '' > ca/index.php echo ' config.php - echo 'define(PHPKI_VERSION, "$(VERSION)");' >> config.php + echo 'define("PHPKI_VERSION", "$(VERSION)");' >> config.php echo '?>' >> config.php - rm -f index.php + rm -f index.php setup.php ln -sf readme.php index.php ln -sf setup.php-presetup setup.php @@ -48,5 +48,8 @@ distclean: clean @echo -e "Point your browser to your PHPki installation to configure and" @echo -e "create your root certificate. (i.e. http://www.domain.com/phpki/)\n" +secure: + @./secure.sh + fixperms: @./secure.sh diff --git a/root/README b/root/README.md similarity index 71% rename from root/README rename to root/README.md index 4b02b72..5808598 100644 --- a/root/README +++ b/root/README.md @@ -1,3 +1,52 @@ +PHPKi +===== + +A simple PHP/web based system for generating your own certificates +------------------------------------------------------------------ + +Here are the comments from the radicand repo and the original docs + +No one appears to be maintaining this and I find it very handy. + +I discovered some issues and there are some additional bits we have for OpenVPN (if installed) at Koozali SME server so I thought I'd incorporate them in as well. + +It tries to detect if it is installed on Koozali which needs a couple of small mods, and if openvpn is installed it will create a takey. + +Note... YMMV.... + +I'm sure it is primitive by todays standards but does what I need. + +I will try and maintain it for the foreseeable future. + +Note I have changed the default admin from 'phpkiadmin' to 'admin' for utilisation on KoozaliSME Server. + +You can modify this as required as per the README below. + + +About this fork +=============== + +Reasons for forking +------------------- + +After spending a fair amount of time looking for a basic, relatively full featured internal PKI solution, I came across PHPki on Sourceforge. However, being that I don't enjoy using Sourceforge and that there are a number of improvements I wish to make to this solution, I have forked it into a Github repository. Hopefully others may find this useful. + +Main changes +------------ + +* Changed hash algorithm from MD5 to SHA + + +Planned changes +--------------- + +* Remove usage of symlinks. +* Strip out built-in password support -- this can be implemented by the webserver (htaccess) or a bolt-on like SimpleSAMLphp +* Fix CRL subsystem (I found this to not be operational, have not yet investigated) + + +Original README (0.83) +====================== NOTICE: This application is designed to be an easy to use "certificate factory" requiring minimum human intervention to administer. It is intended for @@ -36,6 +85,7 @@ Unpack the PHPki tarball onto your web server. For example: cp phpki.tar.gz /var/tmp cd /var/www/html tar -xzvf /var/tmp/phpki.tar.gz + chown -R phpki/ To configure the certificate authority and create your root certificate, point your browser to where you unpacked PHPki. For example: @@ -70,7 +120,7 @@ you specified during setup. Normal users may only manage the certificates they create. Administrators can manage all certificates. The default administrator account is -"pkiadmin". The secure.sh script will attempt to add this user to your +"admin". The secure.sh script will attempt to add this user to your phpkipasswd file when it is first created. Other users can be made administrators by carefully editing the $PHPki_admins assignment in config/config.php under your certificate store directory. diff --git a/root/about.php b/root/about.php index 4e3c07f..267ae99 100644 --- a/root/about.php +++ b/root/about.php @@ -1,44 +1,45 @@ +

PHPki is an Open Source -Web application for managing a help/glossary.html#PKI target=help/glossary> +Web application for managing a help/glossary.html#PKI target=help/glossary> Public Key Infrastructure within a small organizations. PHPki acts as a mechanism for the centralized creation and management of digital certificates. PHPki is capable of managing certificates for multiple organizations or user -accounts. +accounts.

PHPki requires the Apache Web Server, the PHP Scripting Language, and OpenSSL, all of which are included with any major Linux Operating System distribution. +

This software may be freely redistributed under the terms of the GNU Public License provided this page and all copyright notices remain completely intact. +

+

Copyright: 2003, William E. Roadcap

-

+

- diff --git a/root/admin/index.php b/root/admin/index.php index 486e2e3..db2b797 100644 --- a/root/admin/index.php +++ b/root/admin/index.php @@ -10,118 +10,117 @@ $login = gpvar('login'); $passwd = gpvar('passwd'); $passwdv = gpvar('passwdv'); -switch($stage) { -case 'list_users': - printHeader('admin'); +switch ($stage) { + case 'list_users': + printHeader('admin'); print '

Contents of '.htvar($config['passwd_file']).' file:

';
         readfile($config['passwd_file'])
 
-	?>
-
-
method=post> - -
- + +
+ +
+ - -
method=post name=form> - - - - - -

Add User or Change Password

User ID
Password
Verify Password
- - -
- + +
+ + + + + +

Add User or Change Password

User ID
Password
Verify Password
+ + +
+

Missing or invalid password or password and password verification do not match.

" + case 'add_user': + printHeader('admin'); + if (! $passwd || ! $passwdv || $passwd != $passwdv || strlen($passwd) < 8) { + print "

Missing or invalid password or password and password verification do not match.

" - ?> -

-
method=post> - - - -
- +

+
+ + + +
+ '; - system("htpasswd -bm $pwdfile $login $passwd 2>&1") - ?> -

-

method=post> - -
- '; + system("htpasswd -bm $pwdfile $login $passwd 2>&1") + ?> +

+

+ +
+ - -
method=post name=form> - - - -

Remove User

User ID
- - -
- + +
+ + + +

Remove User

User ID
+ + +
+ '; - system("htpasswd -D $pwdfile $login 2>&1") - ?> -

-

method=post> - -
- '; + system("htpasswd -D $pwdfile $login 2>&1") + ?> +

+

+ +
+ -
-
-
- - -
SYSADMIN MENU
- - - -
?stage=add_user_form>Add User or Change Password
?stage=del_user_form>Remove User
?stage=list_users>List Password File Contents
-
-

- +
+
+
+ + +
SYSADMIN MENU
+ + + +
?stage=add_user_form>Add User or Change Password
?stage=del_user_form>Remove User
?stage=list_users>List Password File Contents
+
+

+ diff --git a/root/ca/help.php b/root/ca/help.php index 425b0b7..6e66486 100644 --- a/root/ca/help.php +++ b/root/ca/help.php @@ -364,10 +364,10 @@ PHPki glossary of terms.

GETTING ADDITIONAL HELP

- +

- diff --git a/root/ca/index.php b/root/ca/index.php index ed365f3..5c6e24f 100644 --- a/root/ca/index.php +++ b/root/ca/index.php @@ -1,3 +1,2 @@ diff --git a/root/ca/main.php b/root/ca/main.php index 50d3d03..e18455e 100644 --- a/root/ca/main.php +++ b/root/ca/main.php @@ -8,155 +8,159 @@ include("../include/openssl_functions.php"); $stage = gpvar('stage'); -switch($stage) { - -case 'dl_takey': - upload("$config[private_dir]/takey.pem", "$config[ca_prefix]takey.pem", 'application/octet-stream'); +switch ($stage) { + case 'dl_takey': + upload($config['private_dir'] . '/takey.pem', $config['ca_prefix'] . 'takey.pem', 'application/octet-stream'); break; -case 'dl_dhparam': - upload("$config[private_dir]/dhparam1024.pem", "$config[ca_prefix]dhparam1024.pem", 'application/octet-stream'); + case 'dl_dhparam': + upload($config['private_dir'] . '/dhparam2048.pem', $config['ca_prefix'] . 'dhparam2048.pem', 'application/octet-stream'); break; -case 'dl_root': - upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert'); - break; + case 'dl_root': + upload($config['cacert_pem'], $config['ca_prefix'] . 'cacert.crt', 'application/x-x509-ca-cert'); + break; -case 'dl_crl': - upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); - break; + case 'dl_crl': + upload($config['cacrl_der'], $config['ca_prefix'] . 'cacrl.crl', 'application/pkix-crl'); + break; -case 'dl_crl_pem': - upload("$config[cacrl_pem]", "$config[ca_prefix]cacrl.crl", 'application/octet-stream'); - break; + case 'dl_crl_pem': + upload($config['cacrl_pem'], $config['ca_prefix'] . 'cacrl.crl', 'application/octet-stream'); + break; -case 'gen_crl': + case 'gen_crl': list($ret,$errtxt) = CA_generate_crl(); printHeader(false); if ($ret) { - ?> -

Certificate Revocation List Updated

-

-

method=post> - -
- '.CA_crl_text().''; - } - else { - ?> - -

There was an error updating the Certificate Revocation List.


-
-

Debug Info:

-
-
-
method=post> -

- -

-

- +

Certificate Revocation List Updated

+
+
+ +
+ '.CA_crl_text().''; + } else { + ?> + +

There was an error updating the Certificate Revocation List.


+
+

Debug Info:

+
+
+
+
+ +
+
+

OpenVPN pre-shared Key

-

-

method=post> - -
- '.ta_key_text().''; +
+
+ +
+ '.ta_key_text().''; break; -case 'display_dhparam': + case 'display_dhparam': printHeader(false); ?>

OpenVPN Diffie-Helman parameters

-

-

method=post> - -
- '.dhparam_text().''; +
+
+ +
+ '.dhparam_text().''; break; -case 'display_root_pem': + case 'display_root_pem': printHeader(false); ?>

Root certificate file (PEM Encoded)

-

-

method=post> - -
- '.root_pem_text().''; +
+
+ +
+ '.root_pem_text().''; break; -default: - printHeader('ca'); - ?> -
-
-
- - - - - - - - - - - - - - - - + default: + printHeader('ca'); + ?> +
+
+
+
CERTIFICATE MANAGEMENT MENU
- Create a New CertificateUse the Certificate Request Form to create and download new digital certificates. - You may create certificates in succession without re-entering the entire form - by clicking the "Go Back" button after each certificate is created.
- Manage CertificatesConveniently view, download, revoke, and renew your existing certificates using the - Certificate Management Control Panel.
- ?stage=gen_crl>Update & View the Certificate Revocation ListSome applications automagically reference the Certificate Revocation List to determine - certificate validity. It is not necessary to perform this update function, as the CRL is - updated when certificates are revoked. However, doing so is harmless. - Read the online help to learn more about this.
- ?stage=dl_root>Download the Root Certificate

- ?stage=display_root_pem>Display the Root Certificate (PEM Encoded)		The "Root" certificate must be installed before using any of the - certificates issued here. Read the online help - to learn more about this.
- ?stage=dl_crl>Download the Certificate Revocation ListThis is the official list of revoked certificates. Using this list with your e-mail or - browser application is optional. Some applications will automagically reference this list. - (Some will need it in PEM format.)
+ + - + Manage Certificates + - + Update & View the Certificate Revocation List + -
CERTIFICATE MANAGEMENT MENU
+ Create a New CertificateUse the Certificate Request Form to create and download new digital certificates. + You may create certificates in succession without re-entering the entire form + by clicking the "Go Back" button after each certificate is created.
- ?stage=dl_takey>Download the static pre-shared key

- ?stage=display_takey>Display the static pre-shared key		This key can be used with OpenVPN as a standalone auth mecanism, or as an additionnal TLS authentication.
Conveniently view, download, revoke, and renew your existing certificates using the + Certificate Management Control Panel.
- ?stage=dl_dhparam>Download the Diffie-Hellman parameters

- ?stage=display_dhparam>Display the Diffie-Hellman parameters		This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement - protocol enables two communication partners to exchange a secret key safely.
Some applications automagically reference the Certificate Revocation List to determine + certificate validity. It is not necessary to perform this update function, as the CRL is + updated when certificates are revoked. However, doing so is harmless. + Read the online help to learn more about this.
-
-

- + Download the Root Certificate

+ Display the Root Certificate (PEM Encoded) + The "Root" certificate must be installed before using any of the + certificates issued here. Read the online help + to learn more about this. + + + Download the Certificate Revocation List

+ Download in PEM format. + This is the official list of revoked certificates. Using this list with your e-mail or + browser application is optional. Some applications will automagically reference this list. + + + Download the static pre-shared key

+ Display the static pre-shared key + This key can be used with OpenVPN as a standalone auth mechanism, or as an additional TLS authentication. + + + + Download the Diffie-Hellman parameters

+ Display the Diffie-Hellman parameters + This file is used by OpenVPN for the hand-shake. The Diffie-Hellman key agreement + protocol enables two communication partners to exchange a secret key safely. + + + + +

+ diff --git a/root/ca/manage_certs.php b/root/ca/manage_certs.php index b08bca3..e3f1527 100644 --- a/root/ca/manage_certs.php +++ b/root/ca/manage_certs.php @@ -6,393 +6,420 @@ include('../include/my_functions.php'); include('../include/common.php'); include('../include/openssl_functions.php'); -$stage = gpvar('stage'); -$serial = gpvar('serial'); -$sortfield = gpvar('sortfield'); -$ascdec = gpvar('ascdec'); -$passwd = gpvar('passwd'); -$expiry = gpvar('expiry'); -$submit = gpvar('submit'); -$dl_type = gpvar('dl_type'); +$stage = gpvar('stage'); +$serial = gpvar('serial'); +$sortfield = gpvar('sortfield'); +$ascdec = gpvar('ascdec'); +$passwd = gpvar('passwd'); +$expiry = gpvar('expiry'); +$submit = gpvar('submit'); +$dl_type = gpvar('dl_type'); $search = gpvar('search'); $show_valid = gpvar('show_valid'); $show_revoked = gpvar('show_revoked'); $show_expired = gpvar('show_expired'); -if ( !($show_valid.$show_revoked.$show_expired) ) { - $show_valid = 'V'; - $show_revoked = 'R'; - $show_expired = 'E'; + +# Prevent handling certs that don't belong to user +if ($serial && CAdb_issuer($serial) != $PHPki_user && ! in_array($PHPki_user, $PHPki_admins)) { + $stage = 'goaway'; } -$qstr_filter = 'search='.htvar($search).'&'. - "show_valid=$show_valid&". - "show_revoked=$show_revoked&". - "show_expired=$show_expired&"; +if (!($show_valid.$show_revoked.$show_expired)) { + $show_valid = 'V'; + $show_revoked = 'R'; + $show_expired = 'E'; +} + +$qstr_filter = 'search='.htvar($search) . '&' . "show_valid=$show_valid&" . "show_revoked=$show_revoked&" . "show_expired=$show_expired&"; $qstr_sort = "sortfield=$sortfield&ascdec=$ascdec"; switch ($stage) { -case 'goaway': - printHeader(false); - ?>

YOU ARE A VERY BAD BOY!

-case 'display': - printHeader(false); +

YOU ARE A VERY BAD BOY!

- ?> -

Certificate Details

-

(#)
')?>

-

REVOKED '.$revoke_date.'

'; + case 'display': + printHeader(false); + ?> - print '
'.CA_cert_text($serial).'
'; - break; +

Certificate Details

+

(#)
')?>

-case 'dl-confirm': - printHeader('ca'); +

REVOKED '.$revoke_date.'

'; + } - ?> -

You are about to download the PRIVATE certificate key for

-

DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!

-
- File type: - + print '
'.CA_cert_text($serial).'
'; + break; - -   or   - -
- +

You are about to download the PRIVATE certificate key for

+

DO NOT DISTRIBUTE THIS FILE TO THE PUBLIC!

+
+ File type: + + +   or   + +
- $rec = CAdb_get_entry($serial); + -

You are about to REVOKE the following certificate: - - - - '.htvar($rec[serial]).'
- '.htvar($rec[common_name]).'
- '.htvar($rec[email]).'
- '.htvar($rec[organization]).'
- '.htvar($rec[unit]).'
- '.htvar($rec[locality]).'
- '.htvar($rec[province]).'
- '.htvar($rec[country]).'
- -
-

- Serial Number
- User's Name
- Email Address
- Organization
- Department/Unit
- Locality
- State/Province
- Country
-

-
-

Are you sure?

-
- - -   - -
'; - - break; + case 'revoke-form': + $rec = CAdb_get_entry($serial); -case 'revoke': - $ret = true; - if ($submit == 'Yes') - list($ret, $errtxt) = CA_revoke_cert($serial); + printHeader('ca'); - if (! $ret) { - printHeader('ca'); + ?> +

You are about to REVOKE the following certificate: +
+ + + "; - ?> - -

There was an error revoking your certificate -.


-
-

Debug Info:

-
-
-

- -

- - + '.htvar($rec['serial']).'
+ '.htvar($rec['common_name']).'
+ '.htvar($rec['email']).'
+ '.htvar($rec['organization']).'
+ '.htvar($rec['unit']).'
+ '.htvar($rec['locality']).'
+ '.htvar($rec['province']).'
+ '.htvar($rec['country']).'
+ +

+

+ Serial Number
+ User's Name
+ Email Address
+ Organization
+ Department/Unit
+ Locality
+ State/Province
+ Country
+

+
+

Are you sure?

+
+ + +   + +
'; -case 'renew-form': - # - # Get last known values submitted by this user. We only really - # need the expiry value, but the old cert values will override - # the rest. - # - if (! $submit and file_exists("config/user-${PHPki_user}.php")) - include("config/user-${PHPki_user}.php"); + break; - # - # Get values from the old certificate. - # - $rec = CAdb_get_entry($serial); - $country = $rec['country']; - $province = $rec['province']; - $locality = $rec['locality']; - $organization = $rec['organization']; - $unit = $rec['unit']; - $common_name = $rec['common_name']; - $email = $rec['email']; + case 'revoke': + $ret = true; + if ($submit == 'Yes') { + list($ret, $errtxt) = CA_revoke_cert($serial); + } - printHeader('ca'); - ?> - + if (! $ret) { + printHeader('ca'); -
- - + print ""; + ?> + +

There was an error revoking your certificate.


+
+

Debug Info:

+
+
+

+ +

+ + -

- - + case 'renew-form': + # + # Get last known values submitted by this user. We only really + # need the expiry value, but the old cert values will override + # the rest. + # + if (! $submit and file_exists("config/user-${PHPki_user}.php")) { + include("config/user-${PHPki_user}.php"); + } + # + # Get values from the old certificate. + # + $rec = CAdb_get_entry($serial); + $country = $rec['country']; + $province = $rec['province']; + $locality = $rec['locality']; + $organization = $rec['organization']; + $unit = $rec['unit']; + $common_name = $rec['common_name']; + $email = $rec['email']; - - - - + printHeader('ca'); + ?> + - - - - + +

Certificate Renewal Form

Common Name
E-mail Address
Organization
+ - - - + + + - - - + + + + - - - + + + + - - - - + + + + - - - - + + + - - - + - print "\n" ; - print "\n" ; - print "\n" ; - for ( $i = 2 ; $i <= 5 ; $i++ ) { - print "\n" ; - } + + + - ?> + + + + - - - - - - -

Certificate Renewal Form

Department/Unit
This will Revoke the old Certificate and Create a new one
+ If a password was used to create the original certificate you must use it below
Locality
Common Name
State/Province
E-mail Address
Country
Organization
Certificate Password
Department/Unit
Certificate Life Locality
State/Province
Country
-
  -
- 		- - > -
- - + Certificate Password - might be required + + - printFooter(); - break; + + Certificate Life + -

- - - - - - + + + + + +
CERTIFICATE MANAGEMENT CONTROL PANEL
-
" method=get name=filter> - Search: -       >Valid -   >Revoked -   >Expired -       +
  +   + + + +
- - - '; - $headings = array( - status=>"Status", issued=>"Issued", expires=>"Expires", - common_name=>"User's Name", email=>"E-mail", - organization=>"Organization", unit=>"Department", - locality=>"Locality" - ); + case 'renew': + $ret = true; + if ($submit == "Submit Request") { + list($ret, $errtxt) = CA_renew_cert($serial, $expiry, $passwd); + } - foreach($headings as $field=>$head) { - print ''.$head.''; + if (! $ret) { + printHeader('ca'); - if ($sortfield == $field) { - print ' '. - '\'Change'; - } + print "

"; + ?> + +

There was an error creating your certificate.

+
+
+

Debug Info:

+
+
+

+ +

+

+ '; - } - print ''; + break; - $x = "^[$show_valid$show_revoked$show_expired]"; + default: + printHeader('ca'); + ?> - $x = "$x.*$search"; + + + + + - $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC)); + 'green',Revoked=>'red',Expired=>'orange'); + if (! $sortfield) { + $sortfield = 'email' ; + $ascdec = 'A'; + } - foreach($db as $rec) { - print ' - - - - - - - - - '; - - } + print ''; - print '
CERTIFICATE MANAGEMENT CONTROL PANEL
+
" method="get" name="filter"> + Search: +        + >Valid +    + >Revoked +    + >Expired +       + +
+
' .$rec[status].''.$rec[issued].''.$rec[expires].''.$rec[common_name].'' . htvar($rec['email']) . ''.htvar($rec[organization]).''.htvar($rec[unit]).''.htvar($rec[locality]).''. - 'Display'; + if ($ascdec == 'A') { + $arrow_gif = '../images/uparrow-blue.gif'; + $ht_ascdec = 'D'; + } else { + $arrow_gif = '../images/downarrow-blue.gif'; + $ht_ascdec = 'A'; + } - if ($rec['status'] == 'Valid') { - print ' - '. - 'Download - '. - 'Revoke'; - } - print ' - '. - 'Renew
'; + $headings = array( + 'status'=>"Status", 'issued'=>"Issued", 'expires'=>"Expires", + 'common_name'=>"User's Name", 'email'=>"E-mail", + 'organization'=>"Organization", 'unit'=>"Department", + 'locality'=>"Locality" + ); - printFooter(); + foreach ($headings as $field => $head) { + print ''.$head.''; + + if ($sortfield == $field) { + print ' '. + '\'Change'; + } + + print ''; + } + print 'Actions'; + print ''; + + $x = "^[$show_valid$show_revoked$show_expired]"; + + if (in_array($PHPki_user, $PHPki_admins)) { + $x = "$x.*$search"; + } else { + $x = "$x.*$search.*$PHPki_user|$x.*$PHPki_user.*$search"; + } + + $db = csort(CAdb_to_array($x), $sortfield, ($ascdec=='A'?SORT_ASC:SORT_DESC)); + + $stcolor = array('Valid'=>'green','Revoked'=>'red','Expired'=>'orange'); + + foreach ($db as $rec) { + print ' + ' . $rec['status'] . ' + '.$rec['issued'].' + '.$rec['expires'].' + ' . $rec['common_name'] . ' + ' . htvar($rec['email']) . ' + ' . htvar($rec['organization']) . ' + ' . htvar($rec['unit']) . ' + ' . htvar($rec['locality']) . ' + '. + 'Display'; + + if ($rec['status'] == 'Valid') { + print ' + ' . + 'Download + ' . + 'Revoke'; + } + print ' + ' . + 'Renew + '; + } + + print ''; + + printFooter(); } ?> diff --git a/root/ca/policy.html b/root/ca/policy.html index 6f6ef88..c2558a5 100644 --- a/root/ca/policy.html +++ b/root/ca/policy.html @@ -1,78 +1,34 @@ - - - -Certificate Authority Agreement - - - - -

Certificate Authority Agreement

-

Policy and Practices

- -

-

This is a statement of practices by this Digital Certificate Authority. -Your use of this Certificate Authority constitutes your and/or your agency's -understanding and full acceptance of these practices and all associated risks. -Please have an authorized person at your agency sign this document and fax it to 000-000-0000 - -

This document may not be all encompassing, and we reserve the right to modify it at any time. - -

    -
  • The sole role of this Certificate Authority is -to provide and maintain a password protected software application for the easy -and instant creation and management of standard x.509 personal digital -certificates for e-mail encryption. We assume no responsibility for -verifying the identity of any persons other than that of the limited number of -authorized users of the software. -We accept no liability for damages resulting from the use, misuse, -or compromise of the software application or its host server. - -

  • As an authorized user of the software, you are in effect THE Certificate Authority for your -agency. As such, you are solely -responsible for authenticating the identity of the persons for whom you obtain -certificates. We accept no -responsibility or liability for non-repudiation in any digital certificate -created by this software. You agree that -password protection to the application by authorized certificate managers, -and personal identity management by -those managers is sufficient to create a chain of trust for non-repudiation -in all digital certificates created using the software. - -

  • No more than two(2) -users at your agency should have access to your agency's Certificate Authority -password. We should be notified -immediately, via e-mail, when the employment of any -authorized user at your agency is terminated so that a new password can be -issued. - -

  • This Certificate -Authority software application is accessed via the Internet using standard SSL -or Secure Server encryption mechanisms. -Although steps have been taken to protect the security and availability -of the host server and application, its exposure to the Internet as well as any -presently unknown security flaws could lead to potential compromise of the -software and your certificates. - -

  • No promise is made as -to the availability of the software in the event of hardware, software, or -telecommunications failure or maintenance.  -No advanced notice will be given when the software must be temporarily -taken off line for service. - -

  • In order to provide -software which can easily create "instant" certificates it is -necessary to store all private keys on the host server. As such, all private keys are potentially exposed -to the Internet and suffer some risk of unauthorized access. However, since all private keys ARE -ENCRYPTED using a password provided by you, they are unlikely to be usable by -any intruder. - -

  • A publicly accessible -web page is provided for interested Internet users to download the Certificate -Authority root certificate, certificate revocation list, and search for the -e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static -content with users' e-mail addresses is available. - -
- - - + + + + + Certificate Authority Agreement + + + +

Certificate Authority Agreement

+ +

Policy and Practices


+
+ +

This is a statement of practices by this Digital Certificate Authority. Your use of this Certificate Authority constitutes your and/or your agency's understanding and full acceptance of these practices and all associated risks. Please have an authorized person at your agency sign this document and fax it to 000-000-0000

+ +

This document may not be all encompassing, and we reserve the right to modify it at any time.

+ +
    +
  • The sole role of this Certificate Authority is to provide and maintain a password protected software application for the easy and instant creation and management of standard x.509 personal digital certificates for e-mail encryption. We assume no responsibility for verifying the identity of any persons other than that of the limited number of authorized users of the software. We accept no liability for damages resulting from the use, misuse, or compromise of the software application or its host server.
    • + +
  • As an authorized user of the software, you are in effect THE Certificate Authority for your agency. As such, you are solely responsible for authenticating the identity of the persons for whom you obtain certificates. We accept no responsibility or liability for non-repudiation in any digital certificate created by this software. You agree that password protection to the application by authorized certificate managers, and personal identity management by those managers is sufficient to create a chain of trust for non-repudiation in all digital certificates created using the software.
    • + +
  • No more than two(2) users at your agency should have access to your agency's Certificate Authority password. We should be notified immediately, via e-mail, when the employment of any authorized user at your agency is terminated so that a new password can be issued.
    • + +
  • This Certificate Authority software application is accessed via the Internet using standard SSL or Secure Server encryption mechanisms. Although steps have been taken to protect the security and availability of the host server and application, its exposure to the Internet as well as any presently unknown security flaws could lead to potential compromise of the software and your certificates.
    • + +
  • No promise is made as to the availability of the software in the event of hardware, software, or telecommunications failure or maintenance.  No advanced notice will be given when the software must be temporarily taken off line for service.
    • + +
  • In order to provide software which can easily create "instant" certificates it is necessary to store all private keys on the host server. As such, all private keys are potentially exposed to the Internet and suffer some risk of unauthorized access. However, since all private keys ARE ENCRYPTED using a password provided by you, they are unlikely to be usable by any intruder.
    • + +
  • A publicly accessible web page is provided for interested Internet users to download the Certificate Authority root certificate, certificate revocation list, and search for the e-mail addresses and public certificates of users. So as to avoid e-mail address scraping by spammers, no static content with users' e-mail addresses is available.
    • +
+ + diff --git a/root/ca/request_cert.php b/root/ca/request_cert.php index 31582e7..1b0a4f7 100644 --- a/root/ca/request_cert.php +++ b/root/ca/request_cert.php @@ -7,7 +7,7 @@ include('../include/common.php') ; include('../include/openssl_functions.php') ; # User's preferences file -$user_cnf = "$config[home_dir]/config/user-".strtr($PHPki_user,'/\\','|#').'.php'; +$user_cnf = $config['home_dir'] . "/config/user-".strtr($PHPki_user, '/\\', '|#').'.php'; # Retrieve GET/POST values $form_stage = gpvar('form_stage'); @@ -25,7 +25,8 @@ $passwdv = gpvar('passwdv'); $expiry = gpvar('expiry'); $keysize = gpvar('keysize'); $cert_type = gpvar('cert_type'); - +$dns_names = gpvar('dns_names'); +$ip_addr = gpvar('ip_addr'); # To repopulate form after error. $hidden_fields = ' @@ -41,275 +42,419 @@ $hidden_fields = ' + + '; switch ($form_stage) { + case 'validate': + $er = ''; -case 'validate': - $er = ''; + if (! $country) { + $er .= 'Missing Country
'; + } + if (! $province) { + $er .= 'Missing State/Province
'; + } + if (! $locality) { + $er .= 'Missing Locality (City/County)
'; + } + if (! $organization) { + $er .= 'Missing Organization (Company/Agency)
'; + } + if (! $unit) { + $er .= 'Missing Unit/Department
'; + } + if (! $common_name) { + $er .= 'Missing E-mail User\'s Full Name
'; + } + if (! $email) { + $er .= 'Missing E-mail Address
'; + } - if (! $country) $er .= 'Missing Country
'; - if (! $province) $er .= 'Missing State/Province
'; - if (! $locality) $er .= 'Missing Locality (City/County)
'; - if (! $organization) $er .= 'Missing Organization (Company/Agency)
'; - if (! $unit) $er .= 'Missing Unit/Department
'; - if (! $common_name) $er .= 'Missing E-mail User\'s Full Name
'; - if (! $email) $er .= 'Missing E-mail Address
'; + if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd) { + $er .= 'Missing Certificate Password
'; + } + if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv) { + $er .= 'Missing Certificate Password Verification "Again"
'; + } - if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwd) $er .= 'Missing Certificate Password
'; - if (($cert_type == 'email' || $cert_type == 'email_signing') && ! $passwdv) $er .= 'Missing Certificate Password Verification "Again"
'; + if ($passwd && strlen($passwd) < 8) { + $er .= 'Certificate password is too short.
'; + } - if ( $passwd && strlen($passwd) < 8 ) - $er .= 'Certificate password is too short.
'; + if ($passwd and $passwd != $passwdv) { + $er .= 'Password and password verification do not match.
'; + } - if ( $passwd and $passwd != $passwdv ) - $er .= 'Password and password verification do not match.
'; + //if ( ! is_alnum($passwd) or ! is_alnum($passwdv) ) + // $er .= 'Password contains invalid characters.
'; - //if ( ! is_alnum($passwd) or ! is_alnum($passwdv) ) - // $er .= 'Password contains invalid characters.
'; + if ($email && ! is_email($email)) { + $er .= 'E-mail address ('. htvar($email) . ') may be invalid.
'; + } - if ( $email && ! is_email($email) ) - $er .= 'E-mail address ('. htvar($email) . ') may be invalid.
'; + $ip_ar=explode("\n", $ip_addr); + foreach ($ip_ar as $value) { + if ($value && ! is_ip($value)) { + $er .= 'IP address ('. htvar($value) . ') may be invalid.
'; + } + } - if ( $er ) - $er = '

ERROR(S) IN FORM:

' . $er . '

'; + $dns_n=explode("\n", $dns_names); + foreach ($dns_n as $value) { + if ($value && ! is_fqdn(trim($value))) { + $er .= 'DNS Name ('. htvar($value) . ') may be invalid.
'; + } + } + if ($er) { + $er = '

ERROR(S) IN FORM:

' . $er . '

'; + } - if ($email && ($serial = CAdb_in($email,$common_name))) { - $er = ''; - $certtext = CA_cert_text($serial); - $er .= '

A valid certificate already exists for ' . htvar("$common_name <$email>") . '

'; - $er .= '
 ' . htvar($certtext) . '
'; + if ($email && ($serial = CAdb_in($email, $common_name))) { + $er = ''; + $certtext = CA_cert_text($serial); + $er .= '

A valid certificate already exists for ' . htvar("$common_name <$email>") . '

'; + $er .= '
 ' . htvar($certtext) . '
'; + } - } + if ($er) { + printHeader(); + ?> - if ($er) { - printHeader(); - ?> +
+ + +
- - - -
- - "; + "; - printFooter(); - break; - } + printFooter(); + break; + } -case 'confirm': - printHeader(); + case 'confirm': + printHeader(); - ?> -

You are about to create a certificate using the following information:

- - + ?> +

You are about to create a certificate using the following information:

+
-

- User's Name
- E-mail Address
- Organization
- Department/Unit
- Locality
- State/Province
- Country
- Certificate Life
- Key Size
- Certificate Use
-

+ - +
+

+ User's Name
+ E-mail Address
+ Organization
+ Department/Unit
+ Locality
+ State/Province
+ Country
+ Certificate Life
+ Key Size
+ Certificate Use
+ '; + print 'IP Addresses
'; + } + ?> +

+ 		- '; - print htvar($email) . '
'; - print htvar($organization) . '
'; - print htvar($unit) . '
'; - print htvar($locality) . '
'; - print htvar($province) . '
'; - print htvar($country) . '
'; - print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'
'; - print htvar($keysize). ' bits
'; - print htvar($cert_type). '
'; - ?> - 		+ '; + print htvar($email) . '
'; + print htvar($organization) . '
'; + print htvar($unit) . '
'; + print htvar($locality) . '
'; + print htvar($province) . '
'; + print htvar($country) . '
'; + print htvar($expiry). ' Year'.($expiry == 1 ? '' : 's').'
'; + print htvar($keysize). ' bits
'; -
-

Are you sure?

-

- - -   - -

+ switch ($cert_type) { + case 'email': + print 'E-mail, SSL Client' . '
'; + break; + case 'email_signing': + print 'E-mail, SSL Client, Code Signing' . '
'; + break; + case 'server': + print 'SSL Server' . '
'; + print htvar($dns_names). '
'; + print htvar($ip_addr). '
'; + break; + case 'vpn_client': + print 'VPN Client Only' . '
'; + break; + case 'vpn_server': + print 'VPN Server Only' . '
'; + break; + case 'vpn_client_server': + print 'VPN Client, VPN Server' . '
'; + break; + case 'time_stamping': + print 'Time Stamping' . '
'; + } + ?> + - - # Save user's defaults - $fp = fopen($user_cnf,'w'); - $x = ''; - fwrite($fp,$x); - fclose($fp); +

Are you sure? After creation you will be returned to the Create Certificate dialogue.

+

+ + + +   + +
- break; + '; + fwrite($fp, $x); + fclose($fp); - if (! $ret) { - printHeader(); + break; - ?> -
method=post> - -

There was an error creating your certificate.


-
-

Debug Info:

-
-
-

- - -

-

- +
+ +

There was an error creating your certificate.


+
+

Debug Info:

+
+
+

+ + +

+

+ - -
- - + # Clear common_name fields + $common_name = ''; - - - - + // We could add 'return to index or create another certificate' - - - - + default: + # + # Default fields to reasonable values if necessary. + # + if (! $submit and file_exists($user_cnf)) { + include($user_cnf); + } - - - - + if (! $country) { + $country = $config['country']; + } + if (! $province) { + $province = $config['province']; + } + if (! $locality) { + $locality = ""; + } + if (! $organization) { + $organization = ""; + } + if (! $unit) { + $unit = ""; + } + if (! $email) { + $email = ""; + } + if (! $expiry) { + $expiry = 1; + } + if (! $keysize) { + $keysize = 2048; + } + if (! $cert_type) { + $cert_type = 'email'; + } + if (! $dns_names) { + $dns_names = ""; + } + if (! $ip_addr) { + $ip_addr = ""; + } - - - + printHeader(); + ?> - - - + + +

Certificate Request Form

Common Name
(i.e. User real name or computer hostname)
E-mail Address
Organization (Company/Agency)
Department/Unit
Locality (City/County)
+ + "; + echo ""; + } + ?> + + + + - - - + + + + - - - - + + + + - - - - + + + - - - + - print "\n" ; - print "\n" ; - print "\n" ; - for ( $i = 2 ; $i <= 5 ; $i++ ) { - print "\n" ; - } + + + - ?> + + + + - - + + + + - - - + + - + 1 Month\n" ; + print "\n" ; + print "\n" ; + print "\n" ; + for ($i = 2; $i <= 5; $i++) { + print "\n" ; + } - - - - + ?> - - - -

Certificate Request Form

Previous Certificate Created successfully

$serial

Create another or go to back to the Menu

Menu
Common Name *
(i.e. User real name or computer hostname - used as SubjectAltName)
State/Province
E-mail Address *
Country
Organization(Company/Agency) *
Certificate Password    Again
Department/Unit *
Certificate Life Locality(City/County) *
State/Province *
Country *
Certificate Password *
(Min 8 chars - Mandatory for Email,SSL Client,Code signing)		 +    Again + +
Key Size
Certificate Life*
Certificate Use:
* All fields are required
-
- + - printFooter(); + + Key Size* + + + + + Certificate Use:* + + + + + Alternative DNS Names
(only one per Line) + + + + IP's
(only one per Line) + + +   +   + + + * Fields are required + + + + diff --git a/root/config.php b/root/config.php index 72411f9..5ce0432 100644 --- a/root/config.php +++ b/root/config.php @@ -1,3 +1,2 @@ +define("PHPKI_VERSION", "0.84"); diff --git a/root/css/style.css b/root/css/style.css index 52bef95..fbe0c95 100644 --- a/root/css/style.css +++ b/root/css/style.css @@ -1,172 +1,175 @@ -h1 { - font-size: 32px; -} - -h2 { - font-size: 24px; -} - -h3 { - font-size: 18px; -} - -body { - margin: 10px; - padding: 0; - background: #fafaff; - font-family: Arial, Veranda, Helvetica, sans-serif; - font-size: 12px; -} - -img { - border: 0; -} - -a { - color: #00F; - background-color: transparent; -} - -a:link, a:active, a:visited { - color: #00F; - background-color: transparent; -} - -a.headermenu:link, a.headermenu:active, a.headermenu:visited { - text-decoration: underline; - color: #00F; - background-color: transparent; - padding-left: 8px; -} - -form { - padding: 0; - margin: 0; -} - - -fieldset { - border: 2px solid black; - margin-left: 10px; - padding: 10px; - width: 700px; - font-size: 10px; -} - -legend { - background-color: rgb(200, 220, 240); - border: 2px solid black; - padding: 0.25em; - padding-top: 0.1em; - font-size: 12px; -} - -table { - font-size: 12px; - margin-right: .1in; -} - -th { - font-weight: bold; - background-color: #AFC3E4; - padding: 3px; - color: #323C4D; - text-align: center; - vertical-align: middle; - border: 1px solid #606060; - white-space: nowrap; -} - -td { - background-color: #DEE3EC; - padding: 3px; - text-align: left; - vertical-align: middle; - border: 1px solid #a0a0a0; -} - -.menu { - height: 22px; - font-size: 13px; - text-align: center; - vertical-align: bottom; - border: 1px solid #808080; - border-left: 2px solid #808080; - border-bottom: 2px solid #808080; - color: #000000; -} - -.menu-pad { - height: 22px; - font-size: 13px; - text-align: center; - padding-left: 1em; - padding-right: 1em; - vertical-align: bottom; - border: 1px solid #808080; - border-left: 2px solid #808080; - border-bottom: 2px solid #808080; - color: #000000; -} -.menu a { - vertical-align: bottom; - text-decoration: none; - font-size: 13px; - -} - -.headermenu-ie { - text-align: right; - margin-right: 0.1in; - margin-top: -0.20in; -} - -.headermenu-konq { - text-align: right; - margin-right: 0.1in; - margin-top: -0.25in; -} - - -.logo-ie { - font-family: 'impact', sans-serif; - font-size: 60pt; - font-weight: bold; - color: #99caff; - margin-top: -0.20in; - margin-bottom: 0; - margin-right: 0.2in; - text-align: left; -} - -.title-ie { - font-family: 'impact', sans-serif; - font-size: 22pt; - font-weight: bold; - font-style: italic; - margin-right: 0.4in; - margin-top: -0.52in; - margin-bottom: 0; - text-align: left; } - -.logo-konq { - font-family: 'impact', sans-serif; - font-size: 62pt; - font-weight: bold; - color: #99caff; - margin-top: -0.20in; - margin-bottom: 0; - margin-right: 0.2in; - text-align: left; -} - -.title-konq { - font-family: 'impact', 'sans-serif'; - font-size: 24pt; - font-weight: bold; - font-style: italic; - margin-right: 0.4in; - margin-top: -0.55in; - margin-bottom: 0; - text-align: left; -} +h1 { + font-size: 32px; +} + +h2 { + font-size: 24px; +} + +h3 { + font-size: 18px; +} + +body { + margin: 10px; + padding: 0; + background: #fafaff; + font-family: Arial, Veranda, Helvetica, sans-serif; + font-size: 14px; +} + +img { + border: 0; +} + +a { + color: #00F; + background-color: transparent; +} + +a:link, a:active, a:visited { + color: #00F; + background-color: transparent; +} + +a.headermenu:link, a.headermenu:active, a.headermenu:visited { + text-decoration: underline; + color: #00F; + background-color: transparent; + padding-left: 8px; +} + +form { + padding: 0; + margin: 0; +} + +input[type='submit']:active{ + background-color:green; +} + +fieldset { + border: 2px solid black; + margin-left: 10px; + padding: 10px; + width: 700px; + font-size: 10px; +} + +legend { + background-color: rgb(200, 220, 240); + border: 2px solid black; + padding: 0.25em; + padding-top: 0.1em; + font-size: 12px; +} + +table { + font-size: 12px; + margin-right: .1in; +} + +th { + font-weight: bold; + background-color: #AFC3E4; + padding: 3px; + color: #323C4D; + text-align: center; + vertical-align: middle; + border: 1px solid #606060; + white-space: nowrap; +} + +td { + background-color: #DEE3EC; + padding: 3px; + text-align: left; + vertical-align: middle; + border: 1px solid #a0a0a0; +} + +.menu { + height: 22px; + font-size: 13px; + text-align: center; + vertical-align: bottom; + border: 1px solid #808080; + border-left: 2px solid #808080; + border-bottom: 2px solid #808080; + color: #000000; +} + +.menu-pad { + height: 22px; + font-size: 13px; + text-align: center; + padding-left: 1em; + padding-right: 1em; + vertical-align: bottom; + border: 1px solid #808080; + border-left: 2px solid #808080; + border-bottom: 2px solid #808080; + color: #000000; +} + +.menu a { + vertical-align: bottom; + text-decoration: none; + font-size: 13px; +} + +.headermenu-ie { + text-align: center; + margin-right: 0.1in; + margin-top: 0.20in; +} + +.headermenu-konq { + text-align: center; + margin-right: 0.1in; + margin-top: 0.25in; +} + +.logo-ie { + font-family: 'impact', sans-serif; + font-size: 60pt; + font-weight: bold; + color: #99caff; + margin-top: -0.20in; + margin-bottom: 0; + margin-right: 0.2in; + text-align: left; +} + +.title-ie { + font-family: 'impact', sans-serif; + font-size: 22pt; + font-weight: bold; + font-style: italic; + margin-right: 0.4in; + margin-top: -0.52in; + margin-bottom: 0; + text-align: left; +} + +.logo-konq { + font-family: 'impact', sans-serif; + font-size: 62pt; + font-weight: bold; + color: #99caff; + margin-top: -0.20in; + margin-bottom: 0; + margin-right: 0.2in; + text-align: left; +} + +.title-konq { + font-family: 'impact', 'sans-serif'; + font-size: 24pt; + font-weight: bold; + font-style: italic; + margin-right: 0.4in; + margin-top: -0.55in; + margin-bottom: 0; + text-align: left; +} diff --git a/root/gen_crl.php b/root/gen_crl.php index dfab63a..e590b5b 100644 --- a/root/gen_crl.php +++ b/root/gen_crl.php @@ -1,5 +1,8 @@ - diff --git a/root/help.php b/root/help.php index f9b1ac3..b7b96cc 100644 --- a/root/help.php +++ b/root/help.php @@ -5,12 +5,14 @@ include('./include/common.php'); printHeader(about); ?> -

PHPki HELP FILES

-help/PKI_basics.html>

PKI and E-mail Encryption - A Brief Explanation

 -help/cacert_install_ie.html>

Installing Our Root Certificate For Use With Outlook and Outlook Express

 -

help/usercert_install_ie.html>

Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express

-

help/glossary.html>

Glossary

+
+

PHPki HELP FILES

+

PKI and E-mail Encryption - A Brief Explanation

+

Installing Our Root Certificate For Use With Outlook and Outlook Express

+

Installing Your Personal E-mail Certificate For Use With Outlook and Outlook Express

+

Glossary

+
- diff --git a/root/help/PKI_basics.html b/root/help/PKI_basics.html index 615fa10..539bfef 100644 --- a/root/help/PKI_basics.html +++ b/root/help/PKI_basics.html @@ -1,64 +1,28 @@ + + - -PKI and E-mail Encryption - A Brief Explanation + + + PKI and E-mail Encryption - A Brief Explanation + -

PKI and E-mail Encryption - A Brief Explanation

+
+

PKI and E-mail Encryption - A Brief Explanation

+
-PKI stands for Public Key Infrastructure. PKI is Information -Technology infrastructure that enables users of a basically unsecure public -network (such as the Internet) to securely and privately exchange data through -the use of a public and a private -cryptographic key pair that is obtained and shared through a -trusted Authority. +

PKI stands for Public Key Infrastructure. PKI is Information Technology infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted Authority.

-

-Public and private keys are like two halves of a single key. PKI encryption -algorithms are designed such that a public key is used to encrypt or -"lock" a message, and only the complementary private key can "unlock" that -message. -Think of a bank vault or safe that can only be unlocked by two individuals -using two different but complementary keys. Neither of those keys can be used -by itself to unlock the vault. +

Public and private keys are like two halves of a single key. PKI encryption algorithms are designed such that a public key is used to encrypt or "lock" a message, and only the complementary private key can "unlock" that message. Think of a bank vault or safe that can only be unlocked by two individuals using two different but complementary keys. Neither of those keys can be used by itself to unlock the vault.

-

-In practice, individuals wishing to exchange encrypted e-mail -will agree to mutually trust one or more -Certificate Authorities(CA) by downloading and installing each trusted Authority's -root certificate on their computers. -They will each obtain their own personal -digital certificate -from a trusted Certificate Authority, and install them on their -respective computers. -Because they mutually trust the Certificate Authorities, they trust each other's -digital certificates. More specifically, they trust the -public keys contained within -their personal digital certificates which have been -digitally signed by a -trusted Certificate Authority. -They will then exchange their trusted public keys by sending each other -digitally signed e-mail messages. Once each party has the other's public key, -they may exchange trusted and encrypted messsages. +

In practice, individuals wishing to exchange encrypted e-mail will agree to mutually trust one or more Certificate Authorities(CA) by downloading and installing each trusted Authority's root certificate on their computers. They will each obtain their own personal digital certificate from a trusted Certificate Authority, and install them on their respective computers. Because they mutually trust the Certificate Authorities, they trust each other's digital certificates. More specifically, they trust the public keys contained within their personal digital certificates which have been digitally signed by a trusted Certificate Authority. They will then exchange their trusted public keys by sending each other digitally + signed e-mail messages. Once each party has the other's public key, they may exchange trusted and encrypted messsages.

-

-Public key exchange and encryption is like exchanging notarized documents. -One trusts a notarized document because a trusted third party, the Notary -Public, has signed it. The Certificate Authority is the Notary Public, and -the public keys are the documents. +

Public key exchange and encryption is like exchanging notarized documents. One trusts a notarized document because a trusted third party, the Notary Public, has signed it. The Certificate Authority is the Notary Public, and the public keys are the documents.

-

-Remember, having a personal digital certificate alone does not -give one the ability to send encrypted e-mail to others, but only allows the -receipt of encrypted e-mail. PKI is a cooperative encryption -standard. Both parties who are exchanging encrypted messages must have -personal digital certificates, they must trust the Certificate Authority -which issued the other persons certificate, and they must exchange -public keys with each other, as described above. - -

-The process of installing certificates and exchanging public keys is dependent -upon the e-mail application one uses, and is beyond the scope of this document. +

Remember, having a personal digital certificate alone does not give one the ability to send encrypted e-mail to others, but only allows the receipt of encrypted e-mail. PKI is a cooperative encryption standard. Both parties who are exchanging encrypted messages must have personal digital certificates, they must trust the Certificate Authority which issued the other persons certificate, and they must exchange public keys with each other, as described above.

+

The process of installing certificates and exchanging public keys is dependent upon the e-mail application one uses, and is beyond the scope of this document.

diff --git a/root/help/cacert_install_ie.html b/root/help/cacert_install_ie.html index bf62331..6118a7d 100644 --- a/root/help/cacert_install_ie.html +++ b/root/help/cacert_install_ie.html @@ -1,29 +1,47 @@ + + -Root Certificate Installation for Outlook & Outlook Express - + Root Certificate Installation for Outlook & Outlook Express + - -

Root Certificate Installation for Outlook & Outlook Express

-

A Step-by-Step Guide


-

-

-

Open the folder which holds the certificates you have downloaded.
-Right-click on the certificate you wish to install, and select -Install Certificate from the context menu. -


-

Click the Next button in the Certificate Wizard -welcome window. -


-

Click the Next button in the Select a Certificate Store window. -


-

Click the Finish button in the Complete the Certificate.. window. -


-

You may be asked to confirm the root certificate installation. Click the Yes button if a window like this appears. -


-

Windows confirms the root certificate was successfully imported.
-You may now install your personal e-mail certificate. -

+ +
+

Root Certificate Installation for Outlook & Outlook Express

+ +

A Step-by-Step Guide

+

+ +

+ +

Open the folder which holds the certificates you have downloaded.
+ Right-click on the certificate you wish to install, and select Install Certificate from the context menu.

+ +


+

+ +

Click the Next button in the Certificate Wizard welcome window.

+ +


+

+ +

Click the Next button in the Select a Certificate Store window.

+ +


+

+ +

Click the Finish button in the Complete the Certificate.. window.

+ +


+

+ +

You may be asked to confirm the root certificate installation. Click the Yes button if a window like this appears.

+ +


+

+ +

Windows confirms the root certificate was successfully imported.
+ You may now install your personal e-mail certificate.

diff --git a/root/help/glossary.html b/root/help/glossary.html index 28c2044..391ef2b 100644 --- a/root/help/glossary.html +++ b/root/help/glossary.html @@ -1,144 +1,169 @@ + + -PHPki Glossary - + PHPki Glossary + + + - -

- - - + + +

PUBLIC KEY INFRASTRUCTURE

-PKI stands for Public Key Infrastructure. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. + + + + -PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected. - -
+

PUBLIC KEY INFRASTRUCTURE

+
+
PKI stands for Public Key Infrastructure. PKI is IT infrastructure that enables users of a basically unsecure public network (such as the Internet) to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. PKI is not only software or hardware. It is an infrastructure. So, PKI is a combination of products, services, facilities, policies, procedures, agreements, and people. All of these elements work together to provide for secure interactions on the Internet and other open networks. PKI is not a single monolithic entity, but a distributed system. The component elements may include multiple organization-specific public key infrastructures that are interoperable and interconnected.
-

- - - + +

DIGITAL CERTIFICATE

-

-An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply. + + + + -

An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet. +

+ -
+

DIGITAL CERTIFICATE

+
+

An attachment to an electronic message used for security purposes. The most common use of a digital certificate is to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.

-

The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply. +

An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information. The CA makes its own public key readily available through print publicity or perhaps on the Internet.

-

The most widely used standard for digital certificates is X.509. -

+

The recipient of an encrypted message uses the CA's public key to decode the digital certificate attached to the message, verifies it as issued by the CA and then obtains the sender's public key and identification information held within the certificate. With this information, the recipient can send an encrypted reply.

-

- - - -

CERTIFICATE AUTHORITY

-A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be. -
+

The most widely used standard for digital certificates is X.509.

+
-

- - - + + +

PUBLIC KEY ENCRYPTION

-A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it. + + + + -

An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key. - -

+

CERTIFICATE AUTHORITY

+
+
A trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs. The role of the CA in this process is to guarantee that the individual granted the unique certificate is, in fact, who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual's claimed identity. CAs are a critical component in data security and electronic commerce because they guarantee that the two parties exchanging information are really who they claim to be.
-

- - - -

S/MIME

-S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the RSA encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). -
+ + + + -

-

+

PUBLIC KEY ENCRYPTION

+
- - -

RSA

-RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards. -
+ + +

A cryptographic system that uses two keys -- a public key known to everyone and a private or secret key known only to the recipient of the message. When John wants to send a secure message to Jane, he uses Jane's public key to encrypt the message. Jane then uses her private key to decrypt it.

-

- - - -

ROOT CERTIFICATE

-A root certificate is like a MASTER -digital certificate. -You must install a certificate authority's root certificate -before you can trust other certificates issued by that same certificate -authority. Root certificates are used to "sign" other certificates. -A signature by a root certificate is somewhat analogous to "notarizing" a -document in the physical world. When you install a root certificate on your -computer, you are saying you "trust" that certification authority and all -certificates it signs. -
+

An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to deduce the private key if you know the public key.

+ + + -

- - - -

DIGITAL SIGNATURE

-A digital code that can be attached to an electronically transmitted message -that uniquely identifies the sender. Like a written signature, the purpose of -a digital signature is to guarantee that the individual sending the message -really is who he or she claims to be. Digital certificates inherently provide -digital signature capability to most S/MIME enable e-mail clients. Digitally -signing an e-mail usually provides the recipient the with the sender's public -key, so the recipient may then send encrypted e-mail back to the sender. -
+ + + + -

-

+

S/MIME

+
- - -

X.509

-The most widely used standard for defining digital certificates. X.509 is -actually an ITU Recommendation, which means that has not yet been officially -defined or approved. As a result, companies have implemented the standard in -different ways. For example, both Netscape and Microsoft use X.509 certificates -to implement SSL in their web servers and browsers. But an X.509 certificate -generated by Netscape may not be readable by Microsoft products, and vice -versa. -
+ + S/MIME (Secure Multi-Purpose Internet Mail Extensions) is a secure method of sending e-mail that uses the RSA encryption system. S/MIME is included in the latest versions of the Web browsers from Microsoft and Netscape and has also been endorsed by other vendors that make messaging products. RSA has proposed S/MIME as a standard to the Internet Engineering Task Force (IETF). + + -

- - - -

PEM

-PEM is a widely used standard for storing digital certificates. -A PEM encoded file can contain all of private keys, public keys, and -(x.509) certificates. It is the default format for OpenSSL. -It stores data in Base64 encoded format, surrounded by ascii headers, so it is -suitable for text mode transfers between systems. PEM files usually end with -a .PEM extension. -
+ + + + -

-

+

RSA

+
- - -

DER

-DER is a widely used standard for storing digital certificates. A DER encoded -file can contain all of private keys, public keys, and (x.509) -certificates. DER is a binary encoded headerless format. DER files usually -end with a .CRT or .CER extension. -
+ + RSA is an Internet encryption and authentication system that uses an algorithm developed in 1977 by Ron Rivest, Adi Shamir, and Leonard Adleman. The RSA algorithm is the most commonly used encryption and authentication algorithm and is included as part of the Web browsers from Microsoft and Netscape. It's also part of Lotus Notes, Intuit's Quicken, and many other products. The encryption system was owned by RSA Security, but a recent patent expiration placed it into the public domain. The technologies are part of existing or proposed Web, Internet, and computing standards. + + -

- - - -

PKCS #12

-PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a .PFX extension. -
+ + + + -

+ + + +
+

ROOT CERTIFICATE

+
A root certificate is like a MASTER digital certificate. You must install a certificate authority's root certificate before you can trust other certificates issued by that same certificate authority. Root certificates are used to "sign" other certificates. A signature by a root certificate is somewhat analogous to "notarizing" a document in the physical world. When you install a root certificate on your computer, you are saying you "trust" that certification authority and all certificates it signs.
+ + + + + + + + + +
+

DIGITAL SIGNATURE

+
A digital code that can be attached to an electronically transmitted message that uniquely identifies the sender. Like a written signature, the purpose of a digital signature is to guarantee that the individual sending the message really is who he or she claims to be. Digital certificates inherently provide digital signature capability to most S/MIME enable e-mail clients. Digitally signing an e-mail usually provides the recipient the with the sender's public key, so the recipient may then send encrypted e-mail back to the sender.
+ + + + + + + + + +
+

X.509

+
The most widely used standard for defining digital certificates. X.509 is actually an ITU Recommendation, which means that has not yet been officially defined or approved. As a result, companies have implemented the standard in different ways. For example, both Netscape and Microsoft use X.509 certificates to implement SSL in their web servers and browsers. But an X.509 certificate generated by Netscape may not be readable by Microsoft products, and vice versa.
+ + + + + + + + + +
+

PEM

+
PEM is a widely used standard for storing digital certificates. A PEM encoded file can contain all of private keys, public keys, and (x.509) certificates. It is the default format for OpenSSL. It stores data in Base64 encoded format, surrounded by ascii headers, so it is suitable for text mode transfers between systems. PEM files usually end with a .PEM extension.
+ + + + + + + + + +
+

DER

+
DER is a widely used standard for storing digital certificates. A DER encoded file can contain all of private keys, public keys, and (x.509) certificates. DER is a binary encoded headerless format. DER files usually end with a .CRT or .CER extension.
+ + + + + + + + + +
+

PKCS #12

+
PKCS #12 (a.k.a. Personal Information Exchange Standard) is a standard for storing private keys and certificates securely (well sort of). It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. PKCS12 files usually end with a .PFX extension.

+
+ + diff --git a/root/help/usercert_install_ie.html b/root/help/usercert_install_ie.html index c223c34..62da42a 100644 --- a/root/help/usercert_install_ie.html +++ b/root/help/usercert_install_ie.html @@ -1,40 +1,51 @@ + + -Personal E-mail Certificate Installation for Outlook & Outlook Express - + Personal E-mail Certificate Installation for Outlook & Outlook Express + - -

Personal E-mail Certificate Installation for Outlook & Outlook Express

-

A Step-by-Step Guide


-

-

-

Open the folder which holds the certificates you have downloaded.
-Right-click on the certificate you wish to install, and select -Install PFX from the context menu. -


-

Click the Next button in the Certificate Wizard -welcome window. -


-

Click the Next button in the Select File to Import window. -


-

The personal e-mail certificate files created by PHPki contain an encrypted -copy of your private key. When your certficate was created, a password was -given to PHPki to encrypt the private key. The same password is used to -decrypt your private key and install the certificate. Do not forget or lose -this password as it cannot be recovered under any circumstance. -Select the Enable strong private key protection option if you -would like Windows to add an additional layer of password protection to use -your certificate. This is not necessary, and will not be covered further here. -There is no need to select the Mark the private key as exportable -option. Enter your certificate password and click the Next button -in the Password Protection for Private Keys window. -


-

Click the Next button in the Select a Certificate Store window. -


-

Click the Finish button in the Complete the Certificate.. window. -


-

Windows confirms the root certificate was successfully imported.
-

+ +
+

Personal E-mail Certificate Installation for Outlook & Outlook Express

+ +

A Step-by-Step Guide

+

+ +

+ +

Open the folder which holds the certificates you have downloaded.
+ Right-click on the certificate you wish to install, and select Install PFX from the context menu.

+ +


+

+ +

Click the Next button in the Certificate Wizard welcome window.

+ +


+

+ +

Click the Next button in the Select File to Import window.

+ +


+

+ +

The personal e-mail certificate files created by PHPki contain an encrypted copy of your private key. When your certficate was created, a password was given to PHPki to encrypt the private key. The same password is used to decrypt your private key and install the certificate. Do not forget or lose this password as it cannot be recovered under any circumstance. Select the Enable strong private key protection option if you would like Windows to add an additional layer of password protection to use your certificate. This is not necessary, and will not be covered further here. There is no need to select the Mark the private key as exportable option. Enter your certificate password and click the Next button in the Password Protection for Private Keys window.

+ +


+

+ +

Click the Next button in the Select a Certificate Store window.

+ +


+

+ +

Click the Finish button in the Complete the Certificate.. window.

+ +


+

+ +

Windows confirms the root certificate was successfully imported.

diff --git a/root/include/common.php b/root/include/common.php index 1f652bc..bdd0483 100644 --- a/root/include/common.php +++ b/root/include/common.php @@ -2,128 +2,147 @@ umask(0007); -if ($HTTP_SERVER_VARS['REMOTE_USER']) - $PHPki_user = md5($HTTP_SERVER_VARS['REMOTE_USER']); -else - $PHPki_user = md5('default'); +if (isset($_SERVER['PHP_AUTH_USER'])) { + $PHPki_user = md5($_SERVER['PHP_AUTH_USER']); +} else { + $PHPki_user = md5('default'); +} -$PHP_SELF = htmlspecialchars($HTTP_SERVER_VARS['PHP_SELF'], ENT_QUOTES, "utf-8"); +$PHP_SELF = htmlspecialchars($_SERVER['PHP_SELF'], ENT_QUOTES, "utf-8"); -function printHeader($withmenu="default") { - global $config; - $title = ($config['header_title']?$config['header_title']:'PHPki Certificate Authority'); - switch ($withmenu) { - case 'public': - case 'about': - case 'setup': - $style_css = './css/style.css'; - break; - case 'ca': - case 'admin': - default: - $style_css = '../css/style.css'; - break; - } +function printHeader($withmenu = "default") +{ + global $config; + $title = ($config['header_title']?$config['header_title']:'PHPki Certificate Authority'); - header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); - header("Expires: -1"); + switch ($withmenu) { + case 'public': + case 'about': + case 'setup': + $style_css = './css/style.css'; + break; + case 'ca': + case 'admin': + default: + $style_css = '../css/style.css'; + break; + } + + header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); + header("Expires: -1"); header("Cache-Control: no-store, no-cache, must-revalidate"); header("Cache-Control: post-check=0, pre-check=0", false); header("Pragma: no-cache"); - ?> - - - PHPki: <?=$title?> - - - - + + + + PHPki: <?php echo $title?> + + + + + -
> - href=readme.php>ReadMe - href=setup.php>Setup - href=about.php target=_about>About -
- "; + if (isKonq()) { + $logoclass = 'logo-konq'; + $titleclass = 'title-konq'; + $menuclass = 'headermenu-konq'; + } else { + $logoclass = 'logo-ie'; + $titleclass = 'title-ie'; + $menuclass = 'headermenu-ie'; + } - if (DEMO) { - print "Public"; - print "Manage"; - } - else { - print "Menu"; - } + ?> +
PHPki
+
+ Policy'; - } - ?> - href=help.php target=_help>Help - href=about.php target=_about>About - - "; + switch ($withmenu) { + case false: + case 'about': + break; + case 'setup': + ?> +
+ ReadMe + Setup + About +
+ "; - if (DEMO) { - print "Public"; - print "Manage"; - } - else { - print "Menu"; - } + if (DEMO) { + print "Public"; + print "Manage"; + } else { + print "Menu"; + } - if (file_exists('../policy.html')) { - print 'Policy'; - } - ?> - href=../help.php target=_help>Help - href=../about.php target=_about>About - - Policy'; + } + ?> + Help + About + + "; - ?>
Public"; + print "Manage"; + } else { + print "Menu"; + } + + if (file_exists('../policy.html')) { + print 'Policy'; + } + ?> + Help + About + +
-
-
-
PHPki v - Copyright 2003 - William E. Roadcap

- - - +
+
+

PHPki v - Copyright 2003 - William E. Roadcap

+ + + diff --git a/root/include/my_functions.php b/root/include/my_functions.php index 1dc2e59..21a906d 100644 --- a/root/include/my_functions.php +++ b/root/include/my_functions.php @@ -1,53 +1,61 @@ $v) { - my_stripslashes($a[$k]); - } - } - else { - $a = stripslashes($a); - } +function stripslashes_array(&$a) +{ + if (is_array($a)) { + foreach ($a as $k => $v) { + my_stripslashes($a[$k]); + } + } else { + $a = stripslashes($a); + } } # # Don't use this. # -function undo_magic_quotes(&$a) { - if(get_magic_quotes_gpc()) { - global $HTTP_POST_VARS, $HTTP_GET_VARS; +function undo_magic_quotes(&$a) +{ + if (get_magic_quotes_gpc()) { + global $HTTP_POST_VARS, $HTTP_GET_VARS; - foreach($HTTP_POST_VARS as $k => $v) { - stripslashes_array($HTTP_POST_VARS[$k]); - global $$k; - stripslashes_array($$k); - } - foreach($HTTP_GET_VARS as $k => $v) { - stripslashes_array($HTTP_GET_VARS[$k]); - global $$k; - stripslashes_array($$k); - } - } + foreach ($HTTP_POST_VARS as $k => $v) { + stripslashes_array($HTTP_POST_VARS[$k]); + global $$k; + stripslashes_array($$k); + } + foreach ($HTTP_GET_VARS as $k => $v) { + stripslashes_array($HTTP_GET_VARS[$k]); + global $$k; + stripslashes_array($$k); + } + } } # # Returns TRUE if argument contains only alphabetic characters. # -function is_alpha($v) { - #return (eregi('[^A-Z]',$v) ? false : true) ; - #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match() - return (preg_match('/[^A-Z]/i',$v) ? false : true) ; +function is_alpha($v) +{ + #return (eregi('[^A-Z]',$v) ? false : true) ; + #return (preg_match('/[^A-Z]'.'/i',$v,PCRE_CASELESS) ? false : true) ; # Replaced eregi() with preg_match() + return (preg_match('/[^A-Z]/i', $v) ? false : true) ; } # # Returns TRUE if argument contains only numeric characters. # - -function is_num($v) { - #return (eregi('[^0-9]',$v) ? false : true) ; - return (preg_match('/[^0-9]/',$v) ? false : true) ; # Replaced eregi() with preg_match() +function is_num($v) +{ + #return (eregi('[^0-9]',$v) ? false : true) ; + return (preg_match('/[^0-9]/', $v) ? false : true) ; # Replaced eregi() with preg_match() } # # Returns TRUE if argument contains only alphanumeric characters. # - -function is_alnum($v) { - #return (eregi('[^A-Z0-9]',$v) ? false : true) ; - return (preg_match('/[^A-Z0-9]/i',$v) ? false : true) ; # Replaced eregi() with preg_match() +function is_alnum($v) +{ + #return (eregi('[^A-Z0-9]',$v) ? false : true) ; + return (preg_match('/[^A-Z0-9]/i', $v) ? false : true) ; # Replaced eregi() with preg_match() } # # Returns TRUE if argument is in proper e-mail address format. # -function is_email($v) { - #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false); - return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i',$v) ? true : false); # Replaced eregi() with preg_match() +function is_email($v) +{ + #return (eregi('^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$',$v) ? true : false); + return (preg_match('/^[^@ ]+\@[^@ ]+\.[A-Z]{2,4}$'.'/i', $v) ? true : false); # Replaced eregi() with preg_match() +} + +# +# Returns True if the given string is a IP address +# +function is_ip($ip = null) +{ + if (!$ip or strlen(trim($ip)) == 0) { + return false; + } + $ip=trim($ip); + if (preg_match("/^[0-9]{1,3}(.[0-9]{1,3}){3}$/", $ip)) { + foreach (explode(".", $ip) as $block) { + if ($block<0 || $block>255) { + return false; + } + } + return true; + } + return false; +} + +# +# Returns True if the given string is a valid FQDN +# +function is_fqdn($FQDN) +{ + // remove leading wildcard characters if exist + $FQDN = preg_replace('/^\*\./', '', $FQDN, 1); + return (!empty($FQDN) && preg_match('/^(?=.{1,254}$)((?=[a-z0-9-]{1,63}\.)(xn--+)?[a-z0-9]+(-[a-z0-9]+)*\.)+(xn--+)?[a-z0-9]{2,63}$/i', $FQDN) > 0); } # @@ -208,23 +270,62 @@ function is_email($v) { # as a match is found. # -function eregi_array($regexp, $arr) { +function preg_match_array($regexp, $arr) +{ - foreach ($arr as $elem) { - #if (eregi($regexp,$elem)) - if (! preg_match('/^\/.*\/$/', $regexp)) # if it doesn't begin and end with '/' - $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match() - if (preg_match($regexp.'i',$elem)) # Replaced eregi() with preg_match() - return true; - } - return false; + foreach ($arr as $elem) { + #if (eregi($regexp,$elem)) + if (! preg_match('/^\/.*\/$/', $regexp)) { # if it doesn't begin and end with '/' + $regexp = '/'.$regexp.'/'; # pad the $regexp with '/' to prepare for preg_match() + } + if (preg_match($regexp.'i', $elem)) { # Replaced eregi() with preg_match() + return true; + } + } + return false; } # # Reads entire file into a string # Same as file_get_contents in php >= 4.3.0 # -function my_file_get_contents($f) { - return implode('', file($f)); +function my_file_get_contents($f) +{ + return implode('', file($f)); } -?> +function getOSInformation() +{ + if (false == function_exists("shell_exec")) { + return null; + } + $os = shell_exec('cat /etc/redhat-release'); + if (preg_match('/^SME Server/', $os)) { + return true; + } else { + return null; + } +} + +# Used in setup +function flush_exec($command, $line_length = 200) +{ + $handle = popen("$command 2>&1", 'r'); + + $line = ''; + while (! feof($handle)) { + $chr = fread($handle, 1); + $line .= $chr; + if ($chr == "\n") { + print str_replace("\n", "
\n", $line); + $line = ''; + flush(); + } elseif (strlen($line) > $line_length) { + print $line."
\n"; + $line = ''; + flush(); + } + } + print $line."
\n"; + flush(); + return; +} diff --git a/root/include/openssl_functions.php b/root/include/openssl_functions.php index 331b0d0..8d638fd 100644 --- a/root/include/openssl_functions.php +++ b/root/include/openssl_functions.php @@ -5,29 +5,88 @@ // File name is placed in ./tmp with a random name. It lingers unless // removed manually. // -function CA_create_cnf($country='',$province='',$locality='',$organization='',$unit='',$common_name='',$email='',$keysize=1024) { - global $config, $PHPki_user; +function CA_create_cnf($country = '', $province = '', $locality = '', $organization = '', $unit = '', $common_name = '', $email = '', $keysize = 2048, $dns_names = '', $ip_addr = '', $serial = '') +{ + global $config, $PHPki_user; - $issuer = $PHPki_user; + $issuer = $PHPki_user; + $count_dns = 0; + $count_ip = 0; + $alt_names = ""; - $cnf_contents = " -HOME = $config[home_dir] -RANDFILE = $config[random] -dir = $config[ca_dir] -certs = $config[cert_dir] -crl_dir = $config[crl_dir] -database = $config[index] -new_certs_dir = $config[new_certs_dir] -private_dir = $config[private_dir] -serial = $config[serial] -certificate = $config[cacert_pem] -crl = $config[cacrl_pem] -private_key = $config[cakey] -crl_extentions = crl_ext + if (! $dns_names == '') { + $dns_n=explode("\n", $dns_names); + $count_dns = $count_dns + 1; + $alt_names .= "DNS.$count_dns = $common_name\n"; + foreach ($dns_n as $value) { + if (! $value == '') { + $count_dns = $count_dns + 1; + $alt_names .= "DNS.$count_dns = ".trim($value)."\n"; + } + } + } + + if (! $ip_addr == '') { + $ip_ar=explode("\n", $ip_addr); + foreach ($ip_ar as $value) { + if (! $value == '') { + $count_dns = $count_dns + 1; + $count_ip = $count_ip + 1; + # reetp IP should not be added to a DNS entry + #$alt_names .= "DNS.$count_dns = ".trim($value)."\n"; + $alt_names .= "IP.$count_ip = ".trim($value)."\n"; + } + } + } + + if (($count_dns > 0) || ($count_ip > 0)) { + $server_altnames = "@alt_names"; + } else { + $server_altnames = "DNS:$common_name,email:copy"; + } + + $configHOME = $config['home_dir']; + $configRANDFILE = $config['random']; + $configCa_dir = $config['ca_dir']; + $configCert_dir = $config['cert_dir']; + $configCrl_dir = $config['crl_dir']; + $configDatabase = $config['index']; + $configNew_certs_dir = $config['new_certs_dir']; + $configPrivate_dir = $config['private_dir']; + $configSerial = $config['serial']; + $configCacert_pem = $config['cacert_pem']; + $configCacrl_pem = $config['cacrl_pem']; + $configCakey = $config['cakey']; + $configDefault_md = $config['default_md']; + $configBase_url = $config['base_url']; + $configCrl_dist = $config['crl_distrib']; + $configComment_root = $config['comment_root']; + $configPolicy_url = $config['policy_url']; + $configRevoke_url = $config['revoke_url']; + $configComment_email = $config['comment_email']; + $configComment_sign = $config['comment_sign']; + $configComment_srv = $config['comment_srv']; + + + + $cnf_contents = " +HOME = $configHOME +RANDFILE = $configRANDFILE +dir = $configCa_dir +certs = $configCert_dir +crl_dir = $configCrl_dir +database = $configDatabase +new_certs_dir = $configNew_certs_dir +private_dir = $configPrivate_dir +serial = $configSerial +certificate = $configCacert_pem +crl = $configCacrl_pem +private_key = $configCakey +crl_extentions = crl_ext default_days = 365 default_crl_days = 30 preserve = no -default_md = sha1 +default_md = $configDefault_md [ req ] default_bits = $keysize @@ -73,7 +132,7 @@ policy = policy_supplied x509_extensions = vpn_client_server_ext default_days = 365 policy = policy_supplied - + [ time_stamping_cert ] x509_extensions = time_stamping_ext default_days = 365 @@ -102,10 +161,10 @@ keyUsage = cRLSign, keyCertSign nsCertType = sslCA, emailCA, objCA subjectKeyIdentifier = hash subjectAltName = email:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Root Certificate\" -#nsCaRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_root +#nsCaRevocationUrl = +nsCaPolicyUrl = $configBase_url$configPolicy_url [ email_ext ] basicConstraints = critical, CA:false @@ -116,11 +175,11 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Personal Certificate\" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_email +nsBaseUrl = $configBase_url +nsRevocationUrl = $configBase_url$configRevoke_url$serial +nsCaPolicyUrl = $configBase_url$configPolicy_url [ email_signing_ext ] basicConstraints = critical, CA:false @@ -131,26 +190,26 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Personal Certificate\" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_sign +nsBaseUrl = $configBase_url +nsRevocationUrl = $configBase_url$configRevoke_url$serial +nsCaPolicyUrl = $configBase_url$configPolicy_url [ server_ext ] basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment -nsCertType = critical, server +nsCertType = server extendedKeyUsage = critical, serverAuth subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy +subjectAltName = $server_altnames issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Server Certificate\" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_srv +nsBaseUrl = $configBase_url +nsRevocationUrl = $configBase_url$configRevoke_url$serial +nsCaPolicyUrl = $configBase_url$configPolicy_url [ time_stamping_ext ] basicConstraints = CA:false @@ -160,10 +219,10 @@ subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = DNS:$common_name,email:copy issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $config[comment_stamp] +nsBaseUrl = $configBase_url +nsRevocationUrl = $configBase_url$configRevoke_url$serial [ vpn_client_ext ] basicConstraints = critical, CA:false @@ -191,15 +250,19 @@ nsCertType = critical, server, client subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always, issuer:always subjectAltName = DNS:$common_name,email:copy + +[alt_names] +$alt_names "; - # Write out the config file. - $cnf_file = tempnam('../../tmp','cnf-'); - $handle = fopen($cnf_file,"w"); - fwrite($handle, $cnf_contents); - fclose($handle); - - return($cnf_file); + + # Write out the config file. + $cnf_file = tempnam('../../tmp', 'cnf-'); // Why is this not in the phpki dir ? why ../../ ? + $handle = fopen($cnf_file, "w"); + fwrite($handle, $cnf_contents); + fclose($handle); + + return($cnf_file); } // @@ -208,239 +271,264 @@ subjectAltName = DNS:$common_name,email:copy // Fields: serial, country, province, locality, organization, // issuer, unit, common_name, email // -function CAdb_to_array($search = '.*') { - global $config; +function CAdb_to_array($search = '.*') +{ + global $config; - # Prepend a default status to search string if missing. - #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search; - if (! preg_match("/^\^\[.*\]/", $search)) $search = '^[VRE].*'.$search; - # Include valid certs? - #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true; - if (preg_match('/^\^\[.*V.*\]/',$search)) $inclval = true; - # Include revoked certs? - #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true; - if (preg_match('/^\^\[.*R.*\]/',$search)) $inclrev = true; - # Include expired certs? - #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true; - if (preg_match('/^\^\[.*E.*\]/',$search)) $inclexp = true; + # Prepend a default status to search string if missing. + #if (! ereg('^\^\[.*\]', $search)) $search = '^[VRE].*'.$search; + if (! preg_match("/^\^\[.*\]/", $search)) { + $search = '^[VRE].*'.$search; + } + # Include valid certs? + #if (ereg('^\^\[.*V.*\]',$search)) $inclval = true; + if (preg_match('/^\^\[.*V.*\]/', $search)) { + $inclval = true; + } + # Include revoked certs? + #if (ereg('^\^\[.*R.*\]',$search)) $inclrev = true; + if (preg_match('/^\^\[.*R.*\]/', $search)) { + $inclrev = true; + } + # Include expired certs? + #if (ereg('^\^\[.*E.*\]',$search)) $inclexp = true; + if (preg_match('/^\^\[.*E.*\]/', $search)) { + $inclexp = true; + } - # There isn't really a status of 'E' in the openssl index. - # Change (E)xpired to (V)alid within the search string. - #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search); - $search = preg_replace('/^(\^\[.*)E(.*\])/','${1}V${2}',$search); + # There isn't really a status of 'E' in the openssl index. + # Change (E)xpired to (V)alid within the search string. + #$search = ereg_replace('^(\^\[.*)E(.*\])','\\1V\\2',$search); + $search = preg_replace('/^(\^\[.*)E(.*\])/', '${1}V${2}', $search); - $db = array(); - exec('egrep -i '.escshellarg($search).' '.$config['index'], $x); - foreach($x as $y) { - $i = CAdb_explode_entry($y); - if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp)) - $db[$i['serial']] = $i; - } + $db = array(); + exec('egrep -i '.escshellarg($search).' '.$config['index'], $x); + foreach ($x as $y) { + $i = CAdb_explode_entry($y); + if (($i['status'] == "Valid" && $inclval) || ($i['status'] == "Revoked" && $inclrev) || ($i['status'] == "Expired" && $inclexp)) { + $db[$i['serial']] = $i; + } + } - return($db); + return($db); } // // Returns an array containing the index record for // certificate $serial. -// -function CAdb_get_entry($serial) { - global $config; - $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$"; - $x = exec('egrep '.escshellarg($regexp).' '.$config['index']); - if ($x) - return CAdb_explode_entry($x); - else { - return false; - } +// +function CAdb_get_entry($serial) +{ + global $config; + $regexp = "^[VR]\t.*\t.*\t$serial\t.*\t.*$"; + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']); + if ($x) { + return CAdb_explode_entry($x); + } else { + return false; + } } // -// Returns the serial number of a VALID certificate matching +// Returns the serial number of a VALID certificate matching // $email and/or $name. Returns FALSE if no match is found. // -function CAdb_in($email="", $name="") { - global $config; - $email = escshellcmd($email); - $name = escshellcmd($name); - $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email"; - $x =exec("egrep '$regexp' $config[index]"); - if ($x) { - list($j,$j,$j,$serial,$j,$j) = explode("\t", $x); - return "$serial"; - } - else - return false; +function CAdb_in($email = "", $name = "") +{ + global $config; + $email = escshellcmd($email); + $name = escshellcmd($name); + $regexp = "^[V].*CN=$name/(Email|emailAddress)=$email"; + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']); + + if ($x) { + list($j,$j,$j,$serial,$j,$j) = explode("\t", $x); + return "$serial"; + } else { + return false; + } } // // Alias for CAdb_in() // -function CAdb_serial($email, $name='') { - return CAdb_in($email, $name=''); +function CAdb_serial($email, $name = '') +{ + return CAdb_in($email, $name = ''); } // // Alias for CAdb_in() // -function CAdb_exists($email, $name='') { - return CAdb_in($email, $name=''); +function CAdb_exists($email, $name = '') +{ + return CAdb_in($email, $name = ''); } // // Returns the certificate 'issuer' // -function CAdb_issuer($serial) { - global $config; - $rec = CAdb_get_entry($serial); - return $rec['issuer']; +function CAdb_issuer($serial) +{ + global $config; + $rec = CAdb_get_entry($serial); + return $rec['issuer']; } // // Returns an array containing the respective fields given a // a raw line ($dbentry) from the certificate index. -// Fields: serial, country, province locality, organization, +// Fields: serial, country, province locality, organization, // issuer, unit, common_name, email // -function CAdb_explode_entry($dbentry) { - $a = explode("\t", $dbentry); - $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]); +function CAdb_explode_entry($dbentry) +{ + $a = explode("\t", $dbentry); + $b = preg_split('/\/([A-Z]|[a-z])+=/', $a[5]); - switch ($a[0]) { - case "V": - $db['status'] = "Valid"; - break; - case "R": - $db['status'] = "Revoked"; - break; - } + switch ($a[0]) { + case "V": + $db['status'] = "Valid"; + break; + case "R": + $db['status'] = "Revoked"; + break; + } - // CA_cert_start/enddate - // A date will be returned in this format - // Feb 27 16:00:09 2020 GMT - // Add a 'digital' sort key for digital date sorting later - sscanf(CA_cert_startdate($a[3]),"%s%s%s%s", $mm,$dd,$tt,$yy); - $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd")); - $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd")); + // CA_cert_start/enddate + // A date will be returned in this format + // Feb 27 16:00:09 2020 GMT + // Add a 'digital' sort key for digital date sorting later + sscanf(CA_cert_startdate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy); + $db['issued'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd")); + $db['issuedSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd")); - sscanf(CA_cert_enddate($a[3]), "%s%s%s%s",$mm,$dd,$tt,$yy); - $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd")); - $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd")); + sscanf(CA_cert_enddate($a[3]), "%s%s%s%s", $mm, $dd, $tt, $yy); + $db['expires'] = strftime("%Y-%b-%d", strtotime("$yy-$mm-$dd")); + $db['expiresSort'] = strftime("%Y-%m-%d", strtotime("$yy-$mm-$dd")); - if (time() > strtotime("$yy-$mm-$dd")) { - $db['status'] = "Expired"; - } + if (time() > strtotime("$yy-$mm-$dd")) { + $db['status'] = "Expired"; + } - // Compatibility with migrated certs from openvpn-bridge - if(count($b) == 7){ - $db['serial'] = $a[3]; - $db['country'] = $b[1]; - $db['province'] = $b[2]; - $db['locality'] = ''; - $db['organization'] = $b[3]; - $db['issuer'] = ''; - $db['unit'] = $b[4]; - $db['common_name'] = $b[5]; - $db['email'] = $b[6]; - } - // Compatibility with renewed certs from openvpn-bridge - elseif(count($b) == 8){ - $db['serial'] = $a[3]; - $db['country'] = $b[1]; - $db['province'] = $b[2]; - $db['locality'] = $b[3]; - $db['organization'] = $b[4]; - $db['issuer'] = ''; - $db['unit'] = $b[5]; - $db['common_name'] = $b[6]; - $db['email'] = $b[7]; - } - // Else, it's a certificate created with phpki - else{ - $db['serial'] = $a[3]; - $db['country'] = $b[1]; - $db['province'] = $b[2]; - $db['locality'] = $b[3]; - $db['organization'] = $b[4]; - $db['issuer'] = $b[5]; - $db['unit'] = $b[6]; - $db['common_name'] = $b[7]; - $db['email'] = $b[8]; - } + // Compatibility with migrated certs from openvpn-bridge + if (count($b) == 7) { + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = ''; + $db['organization'] = $b[3]; + $db['issuer'] = ''; + $db['unit'] = $b[4]; + $db['common_name'] = $b[5]; + $db['email'] = $b[6]; + } // Compatibility with renewed certs from openvpn-bridge + elseif (count($b) == 8) { + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = $b[3]; + $db['organization'] = $b[4]; + $db['issuer'] = ''; + $db['unit'] = $b[5]; + $db['common_name'] = $b[6]; + $db['email'] = $b[7]; + } // Else, it's a certificate created with phpki + else { + $db['serial'] = $a[3]; + $db['country'] = $b[1]; + $db['province'] = $b[2]; + $db['locality'] = $b[3]; + $db['organization'] = $b[4]; + $db['issuer'] = $b[5]; + $db['unit'] = $b[6]; + $db['common_name'] = $b[7]; + $db['email'] = $b[8]; + } - return $db; + return $db; } // // Returns the date & time a specified certificate is revoked, // Returns FALSE if the certificate is not revoked. // -function CAdb_is_revoked($serial) { - global $config; - $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$"; - $x = exec('egrep '.escshellarg($regexp).' '.$config['index']); +function CAdb_is_revoked($serial) +{ + global $config; + $regexp = "^R\t.*\t.*\t$serial\t.*\t.*$"; + $x = exec('egrep '.escshellarg($regexp).' '.$config['index']); - if ($x) { - list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x); - sscanf($revoke_date, "%2s%2s%2s",$yy,$mm,$dd); - return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd")); - } - else - return false; + if ($x) { + list($j,$j,$revoke_date,$j,$j,$j) = explode("\t", $x); + // Revoke date = 'R' + start date and is in this format + // 200227162209Z + sscanf($revoke_date, "%2s%2s%2s", $yy, $mm, $dd); + return strftime("%b %d, %Y", strtotime("$yy-$mm-$dd")); + } else { + return false; + } } // // Returns TRUE if a certificate is valid, otherwise FALSE. // -function CAdb_is_valid($serial) { - global $config; - $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$"; +function CAdb_is_valid($serial) +{ + global $config; + $regexp = "^V\t.*\t.*\t$serial\t.*\t.*$"; - if (exec('egrep '.escshellarg($regexp).' '.$config['index'])) - return true; - else - return false; + if (exec('egrep '.escshellarg($regexp).' '.$config['index'])) { + return true; + } else { + return false; + } } // // Returns the long-form certificate description as output by // openssl x509 -in certificatefile -text -purpose // -function CA_cert_text($serial) { - global $config; - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem'; - return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1')); +function CA_cert_text($serial) +{ + global $config; + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + return(shell_exec(X509.' -in '.escshellarg($certfile).' -text -purpose 2>&1')); } // // Returns the long-form text of the Certificate Revocation List -// openssl crl -in crlfile -text +// openssl crl -in crlfile -text // -function CA_crl_text() { - global $config; - $crlfile = $config['cacrl_pem']; - return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1')); +function CA_crl_text() +{ + global $config; + $crlfile = $config['cacrl_pem']; + return(shell_exec(CRL.' -in '.escshellarg($crlfile).' -text 2>&1')); } // Returns the static takey.pem file -function ta_key_text() { +function ta_key_text() +{ global $config; return(shell_exec('cat '.escshellarg($config['private_dir']).'/takey.pem 2>&1')); } // Returns the dhparam file -function dhparam_text() { +function dhparam_text() +{ global $config; - return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam1024.pem 2>&1')); + return(shell_exec('cat '.escshellarg($config['private_dir']).'/dhparam2048.pem 2>&1')); } // Returns the root CA certificate file (PEM Encoded) -function root_pem_text() { +function root_pem_text() +{ global $config; return(shell_exec('cat '.escshellarg($config['cacert_pem']).' 2>&1')); } @@ -448,406 +536,441 @@ function root_pem_text() { // // Returns the subject of a certificate. // -function CA_cert_subject($serial) { - global $config; - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem'; - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1'); - return(str_replace('subject=', '', $x)); +function CA_cert_subject($serial) +{ + global $config; + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -subject 2>&1'); + return(str_replace('subject=', '', $x)); } // // Returns the common name of a certificate. // -function CA_cert_cname($serial) { - global $config; - #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial))); - return(preg_replace('/^.*\/CN=(.*)\/.*/','${1}',CA_cert_subject($serial))); - +function CA_cert_cname($serial) +{ + global $config; + #return(ereg_replace('^.*/CN=(.*)/.*','\\1',CA_cert_subject($serial))); + return(preg_replace('/^.*\/CN=(.*)\/.*/', '${1}', CA_cert_subject($serial))); } // // Returns the email address of a certificate. // -function CA_cert_email($serial) { - global $config; - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem'; - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1'); - return($x); +function CA_cert_email($serial) +{ + global $config; + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -email 2>&1'); + return($x); } // // Returns the effective date of a certificate. // -function CA_cert_startdate($serial) { - global $config; - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem'; - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1'); - return(str_replace('notBefore=','',$x)); +function CA_cert_startdate($serial) +{ + global $config; + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -startdate 2>&1'); + return(str_replace('notBefore=', '', $x)); } // // Returns the expiration date of a certificate. // -function CA_cert_enddate($serial) { - global $config; - $certfile = $config['new_certs_dir'] . '/' . $serial . '.pem'; - $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1'); - return(str_replace('notAfter=','',$x)); +function CA_cert_enddate($serial) +{ + global $config; + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + $x = exec(X509.' -in '.escshellarg($certfile).' -noout -enddate 2>&1'); + return(str_replace('notAfter=', '', $x)); } // // Revokes a specified certificate. // -function CA_revoke_cert($serial) { - global $config; +function CA_revoke_cert($serial) +{ + global $config; - $fd = fopen($config['index'],'a'); - flock($fd, LOCK_EX); + $fd = fopen($config['index'], 'a'); + flock($fd, LOCK_EX); - $certfile = "$config[new_certs_dir]/$serial.pem"; - - $cmd_output[] = 'Revoking the certificate.'; - exec(CA." -config '$config[openssl_cnf]' -revoke ".escshellarg($certfile)." -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret); + $certfile = $config['new_certs_dir'] . "/$serial.pem"; + $cmd_output[] = 'Revoking the certificate.'; + $configCa_pwd = $config['ca_pwd']; + $configOpenssl_cnf = $config['openssl_cnf']; + exec(CA." -config $configOpenssl_cnf -revoke ".escshellarg($certfile)." -passin pass:$configCa_pwd 2>&1", $cmd_output, $ret); - if ($ret == 0) { - unset($cmd_output); - list($ret, $cmd_output[]) = CA_generate_crl(); - } - - fclose($fd); + if ($ret == 0) { + unset($cmd_output); + list($ret, $cmd_output[]) = CA_generate_crl(); + } - return array(($ret == true || $ret == 0 ? true : false), implode('
',$cmd_output)); + fclose($fd); + + return array(($ret == true || $ret == 0 ? true : false), implode('
', $cmd_output)); } // // Creates a new certificate request, and certificate in various formats -// according to specified parameters. PKCS12 bundle files contain the +// according to specified parameters. PKCS12 bundle files contain the // private key, certificate, and CA certificate. // // Returns an array containing the output of failed openssl commands. // -function CA_create_cert($cert_type='email',$country,$province,$locality,$organization,$unit,$common_name,$email,$expiry,$passwd,$keysize=1024) { - global $config; +function CA_create_cert($cert_type = 'email', $country, $province, $locality, $organization, $unit, $common_name, $email, $expiry, $passwd, $keysize = 2048, $dns_names, $ip_addr) +{ + global $config; - # Wait here if another user has the database locked. - $fd = fopen($config['index'],"a"); - flock($fd, LOCK_EX); + # Wait here if another user has the database locked. + $fd = fopen($config['index'], "a"); + flock($fd, LOCK_EX); - # Get the next available serial number - $serial = trim(implode('',file($config['serial']))); + # Get the next available serial number + $serial = trim(implode('', file($config['serial']))); - $userkey = $config['private_dir'].'/'.$serial.'-key.pem'; - $userreq = $config['req_dir'].'/'.$serial.'-req.pem'; - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; - $userder = $config['cert_dir'].'/'.$serial.'.der'; - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx'; + $userkey = $config['private_dir'] . "/$serial-key.pem"; + $userreq = $config['req_dir'] ."/$serial-req.pem"; + $usercert = $config['new_certs_dir'] . "/$serial.pem"; + $userder = $config['cert_dir'] . "/$serial.der"; + $userpfx = $config['pfx_dir'] . "/$serial.pfx"; - $expiry_days = round($expiry * 365.25, 0); + $expiry_days = round($expiry * 365.25, 0); - $cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email,$keysize); + $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email, $keysize, $dns_names, $ip_addr, $serial); - # Escape certain dangerous characters in user input - $email = escshellcmd($email); - $passwd = escshellarg($passwd); - $friendly_name = escshellarg($common_name); - $extensions = escshellarg($cert_type.'_ext'); - - # Create the certificate request - unset($cmd_output); - $cmd_output[] = 'Creating certifcate request.'; + # Escape certain dangerous characters in user input + $email = escshellcmd($email); + $_passwd = escshellarg($passwd); + $friendly_name = escshellarg($common_name); + $extensions = escshellarg($cert_type.'_ext'); - if (($passwd) && ($passwd != "''")) { - exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$passwd 2>&1", $cmd_output, $ret); - } - else { - exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes 2>&1", $cmd_output, $ret); - } - - # Sign the certificate request and create the certificate - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Signing $cert_type certifcate request."; - exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret); - }; + # Create the certificate request + unset($cmd_output); + $cmd_output[] = 'Creating certificate request.'; - # Create DER format certificate - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Creating DER format certifcate."; - exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret); - }; + if (($_passwd) && ($_passwd != "''")) { + exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -passout pass:$_passwd 2>&1", $cmd_output, $ret); + } else { + exec(REQ." -new -newkey rsa:$keysize -keyout '$userkey' -out '$userreq' -config '$cnf_file' -days '$expiry_days' -nodes 2>&1", $cmd_output, $ret); + } - # Create a PKCS12 certificate file for download to Windows - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Creating PKCS12 format certifcate."; - if ($passwd) { - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $passwd"; - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$passwd -passout pass:$passwd 2>&1", $cmd_output, $ret); - } - else { - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -passout pass: 2>&1", $cmd_output, $ret); - } - }; + # Sign the certificate request and create the certificate + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Signing $cert_type certificate request."; + $configCa_pwd = $config['ca_pwd']; + exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret); + }; - #Unlock the CA database - fclose($fd); + # Create DER format certificate + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Creating DER format certificate."; + exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret); + }; - #Remove temporary openssl config file. - if (file_exists($cnf_file)) unlink($cnf_file); + # Create a PKCS12 certificate file for download to Windows + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Creating PKCS12 format certificate."; + $configCacert_pem = $config['cacert_pem']; + $configOrganization = $config['organization']; + $configRandom = $config['random']; - if ($ret == 0) { - # Successful! - # Return status=true and serial number of issued certificate. - return array(true, $serial); - - } - else { - # Not successful. :-( - # Clean up our loose ends. - # Return status=false and openssl output/errors for debug. - CA_remove_cert($serial); - $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.'; - return array(false, implode("
",$cmd_output)); - } + if (($_passwd) && ($_passwd != "''")) { + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd"; + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret); + } else { + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; + // reetp - this needs looking at + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret); + //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret); + } + }; + + #Unlock the CA database + fclose($fd); + + #Remove temporary openssl config file. + if (file_exists($cnf_file)) { + unlink($cnf_file); + } + + if ($ret == 0) { + # Successful! + # Return status=true and serial number of issued certificate. + return array(true, $serial); + } else { + # Not successful. :-( + # Clean up our loose ends. + # Return status=false and openssl output/errors for debug. + CA_remove_cert($serial); + $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.'; + return array(false, implode("
", $cmd_output)); + } } // // Renews a specified certificate, revoking any existing valid versions. -// Uses old certificate request to Creates a new request, and certificate +// Uses old certificate request to Creates a new request, and certificate // in various formats. // // Returns an array containing the output of failed openssl commands. // -// FIXME: Yes, I know... This functions contains much duplicative code +// FIXME: Yes, I know... This functions contains much duplicative code // from CA_create_cert(). Bleh! -// -function CA_renew_cert($old_serial,$expiry,$passwd) { - global $config; +// +function CA_renew_cert($old_serial, $expiry, $passwd) +{ + global $config; - # Don't renew a revoked certificate if a valid one exists for this - # URL. Find and renew the valid certificate instead. - if (CAdb_is_revoked($old_serial)) { - $ret = CAdb_in(CA_cert_email($old_serial),CA_cert_cname($old_serial)); - if ($ret && $old_serial != $ret) $old_serial = $ret; - } + # Do not renew a revoked certificate if a valid one exists for this + # URL. Find and renew the valid certificate instead. + if (CAdb_is_revoked($old_serial)) { + $ret = CAdb_in(CA_cert_email($old_serial), CA_cert_cname($old_serial)); + if ($ret && $old_serial != $ret) { + $old_serial = $ret; + } + } - # Valid certificates must be revoked prior to renewal. - if (CAdb_is_valid($old_serial)) { - $ret = CA_revoke_cert($old_serial); - if (! $ret[0]) return $ret; - } + # Valid certificates must be revoked prior to renewal. + if (CAdb_is_valid($old_serial)) { + $ret = CA_revoke_cert($old_serial); + if (! $ret[0]) { + return $ret; + } + } - $cert_type = CA_cert_type($old_serial); - $extensions = $cert_type.'_ext'; + $cert_type = CA_cert_type($old_serial); + $extensions = $cert_type.'_ext'; - # Get common_name from old certificate for use as the - # "friendly name" of PKCS12 certificate. - $rec = CAdb_get_entry($old_serial); - $country = $rec['country']; - $province = $rec['province']; - $locality = $rec['locality']; - $organization = $rec['organiztion']; - $unit = $rec['unit']; - $common_name = $rec['common_name']; - $email = $rec['email']; + # Get common_name from old certificate for use as the + # "friendly name" of PKCS12 certificate. + $rec = CAdb_get_entry($old_serial); + $country = $rec['country']; + $province = $rec['province']; + $locality = $rec['locality']; + $organization = $rec['organization']; + $unit = $rec['unit']; + $common_name = $rec['common_name']; + $email = $rec['email']; - # Wait here if another user has the database locked. - $fd = fopen($config['index'],"a"); - flock($fd, LOCK_EX); + # Wait here if another user has the database locked. + $fd = fopen($config['index'], "a"); + flock($fd, LOCK_EX); - # Get the next available serial number - $serial = trim(implode('',file($config['serial']))); + # Get the next available serial number + $serial = trim(implode('', file($config['serial']))); - $old_userkey = $config['private_dir'].'/'.$old_serial.'-key.pem'; - $old_userreq = $config['req_dir'].'/'.$old_serial.'-req.pem'; - $userkey = $config['private_dir'].'/'.$serial.'-key.pem'; - $userreq = $config['req_dir'].'/'.$serial.'-req.pem'; - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; - $userder = $config['cert_dir'].'/'.$serial.'.der'; - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx'; + $old_userkey = $config['private_dir'] . "/$old_serial-key.pem"; + $old_userreq = $config['req_dir'] . "/$old_serial-req.pem"; + $userkey = $config['private_dir'] . "/$serial-key.pem"; + $userreq = $config['req_dir'] . "/$serial-req.pem"; + $usercert = $config['new_certs_dir'] . "/$serial.pem"; + $userder = $config['cert_dir'] . "/$serial.der"; + $userpfx = $config['pfx_dir'] . "/$serial.pfx"; - $expiry_days = round($expiry * 365.25, 0); - $cmd_output = array(); - $ret = 0; + $expiry_days = round($expiry * 365.25, 0); - # Create a new certificate request by copying the old request. - if (! file_exists($old_userreq) || ! copy($old_userreq,$userreq)) { - $cmd_output[] = 'Could not create new certificate request file.'; - $ret = 1; - } + $cmd_output = array(); + $ret = 0; - # Copy private key to new file. - if ($ret == 0 && (! file_exists($old_userkey) || ! copy($old_userkey,$userkey))) { - $cmd_output[] = "Could not update private key file."; - $ret = 1; - } - - $cnf_file = CA_create_cnf($country,$province,$locality,$organization,$unit,$common_name,$email); + # Create a new certificate request by copying the old request. + if (! file_exists($old_userreq) || ! copy($old_userreq, $userreq)) { + $cmd_output[] = 'Could not create new certificate request file.'; + $ret = 1; + } - # "friendly name" of PKCS12 certificate. - $friendly_name = escshellarg($rec['common_name']); + # Copy private key to new file. + if ($ret == 0 && (! file_exists($old_userkey) || ! copy($old_userkey, $userkey))) { + $cmd_output[] = "Could not update private key file."; + $ret = 1; + } - # Escape dangerous characters in user input. - $passwd = escshellarg($passwd); + $cnf_file = CA_create_cnf($country, $province, $locality, $organization, $unit, $common_name, $email); - # Sign the certificate request and create the certificate. - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Signing the $cert_type certificate request."; - exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$config[ca_pwd]' -batch -extensions $extensions 2>&1", $cmd_output, $ret); - }; + # "friendly name" of PKCS12 certificate. + $friendly_name = escshellarg($rec['common_name']); - # Create DER format certificate - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Creating DER format certificate."; - exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret); - }; + # Escape dangerous characters in user input. + $_passwd = escshellarg($passwd); - # Create a PKCS12 certificate file for download to Windows - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Creating PKCS12 format certificate."; - if ($passwd) { - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $passwd"; - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -rand '$config[random]' -passin pass:$passwd -passout pass:$passwd 2>&1", $cmd_output, $ret); - } - else { - $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; - exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -passout pass: 2>&1", $cmd_output, $ret); - } - }; - - #Unlock the CA database - fclose($fd); + $configCa_pwd = $config['ca_pwd']; + $configCacert_pem = $config['cacert_pem']; + $configOrganization = $config['organization']; + $configRandom = $config['random']; - # https://github.com/radicand/phpki/issues/14 - if (preg_match('E-mail Protection', $certtext) && preg_match('Code Signing', $certtest)) { - $cert_type = 'email_signing'; - } - if (preg_match('E-mail Protection', $certtext)) { - $cert_type = 'email'; - } + # Sign the certificate request and create the certificate. + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Signing the $cert_type certificate request."; + exec(CA." -config '$cnf_file' -in '$userreq' -out /dev/null -notext -days '$expiry_days' -passin pass:'$configCa_pwd' -batch -extensions $extensions 2>&1", $cmd_output, $ret); + }; - #Remove temporary openssl config file. - if (file_exists($cnf_file)) unlink($cnf_file); + # Create DER format certificate + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Creating DER format certificate."; + exec(X509." -in '$usercert' -out '$userder' -inform PEM -outform DER 2>&1", $cmd_output, $ret); + }; - if ($ret == 0) { - return array(true, $serial); - } - else { - # Not successful, so clean up before exiting. - CA_remove_cert($serial); + # Create a PKCS12 certificate file for download to Windows + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Creating PKCS12 format certificate."; + if (($_passwd) && ($_passwd != "''")) { + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx pass: $_passwd"; + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -rand '$configRandom' -passin pass:$_passwd -passout pass:$_passwd 2>&1", $cmd_output, $ret); + } else { + $cmd_output[] = "infile: $usercert keyfile: $userkey outfile: $userpfx"; + // reetp - this needs looking at + exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$configCacert_pem' -caname '$configOrganization' -out '$userpfx' -name $friendly_name -nodes -passout pass: 2>&1", $cmd_output, $ret); + //exec(PKCS12." -export -in '$usercert' -inkey '$userkey' -certfile '$config[cacert_pem]' -caname '$config[organization]' -out '$userpfx' -name $friendly_name -nodes 2>&1", $cmd_output, $ret); + } + }; - if (eregi_array('.*private key.*',$cmd_output)) - $cmd_output[] = 'This was likely caused by entering the wrong certificate password.'; - else - $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.'; + #Unlock the CA database + fclose($fd); - return array(false, implode('
',$cmd_output)); - } + // Why is this here? + + //# https://github.com/radicand/phpki/issues/14 - but ereg is deprecated + if (preg_match('/E-mail Protection/', $certtext)) { + $cert_type = 'email'; + } + if (preg_match('/E-mail Protection/', $certtext) && preg_match('/Code Signing/', $certtext)) { + $cert_type = 'email_signing'; + } + + #Remove temporary openssl config file. + if (file_exists($cnf_file)) { + unlink($cnf_file); + } + + if ($ret == 0) { + return array(true, $serial); + } else { + # Not successful, so clean up before exiting. + CA_remove_cert($serial); + + if (preg_match_array('.*private key.*', $cmd_output)) { + $cmd_output[] = 'This was likely caused by entering the wrong certificate password.'; + } else { + $cmd_output[] = 'Click on the "Help" link above for information on how to report this problem.'; + } + + return array(false, implode('
', $cmd_output)); + } } // -// Creates a new Certificate Revocation List and copies it the the approriate +// Creates a new Certificate Revocation List and copies it the the approriate // locations. Returns error messages from failed commands. // -function CA_generate_crl() { - global $config; +function CA_generate_crl() +{ + global $config; - $ret = 0; + $configOpenssl_cnf = $config['openssl_cnf']; + $configCacrl_pem = $config['cacrl_pem']; + $configCa_pwd = $config['ca_pwd']; + $configCacrl_der = $config['cacrl_der']; + $ret = 0; - $cmd_output[] = "Generating Certificate Revocation List."; - exec(CA. " -gencrl -config '$config[openssl_cnf]' -out '$config[cacrl_pem]' -passin pass:'$config[ca_pwd]' 2>&1", $cmd_output, $ret); + $cmd_output[] = "Generating Certificate Revocation List."; + exec(CA. " -gencrl -config '$configOpenssl_cnf' -out '$configCacrl_pem' -passin pass:'$configCa_pwd' 2>&1", $cmd_output, $ret); - if ($ret == 0) { - unset($cmd_output); - $cmd_output[] = "Creating DER format Certificate Revocation List."; - exec(CRL." -in '$config[cacrl_pem]' -out '$config[cacrl_der]' -inform PEM -outform DER 2>&1", $cmd_output, $ret); - } + if ($ret == 0) { + unset($cmd_output); + $cmd_output[] = "Creating DER format Certificate Revocation List."; + exec(CRL." -in '$configCacrl_pem' -out '$configCacrl_der' -inform PEM -outform DER 2>&1", $cmd_output, $ret); + } - return array(($ret == 0 ? true : false), implode('
',$cmd_output)); + return array(($ret == 0 ? true : false), implode('
', $cmd_output)); } // // Removes a specified certificate from the certificate index, // and all traces of it from the file system. // -function CA_remove_cert($serial) { - global $config; +function CA_remove_cert($serial) +{ + global $config; - $userreq = $config['req_dir'].'/'.$serial.'-req.pem'; - $userkey = $config['private_dir'].'/'.$serial.'-key.pem'; - $usercert = $config['new_certs_dir'].'/'.$serial.'.pem'; - $userder = $config['cert_dir'].'/'.$serial.'.der'; - $userpfx = $config['pfx_dir'].'/'.$serial.'.pfx'; - + $userreq = $config['req_dir'] . "/$serial-req.pem"; + $userkey = $config['private_dir'] . "/$serial-key.pem"; + $usercert = $config['new_certs_dir'] . "/$serial.pem"; + $userder = $config['cert_dir'] . "/$serial.der"; + $userpfx = $config['pfx_dir'] ."/$serial.pfx"; - # Wait here if another user has the database locked. - $fd = fopen($config['index'],'a'); - flock($fd, LOCK_EX); + $configIndex = $config['index']; - if( file_exists($userreq)) unlink($userreq); - if( file_exists($userkey)) unlink($userkey); - if( file_exists($usercert)) unlink($usercert); - if( file_exists($userder)) unlink($userder); - if( file_exists($userpfx)) unlink($userpfx); + # Wait here if another user has the database locked. + $fd = fopen($configIndex, 'a'); + flock($fd, LOCK_EX); - $tmpfile = $config['index'].'.tmp'; - copy($config['index'], $tmpfile); + if (file_exists($userreq)) { + unlink($userreq); + } + if (file_exists($userkey)) { + unlink($userkey); + } + if (file_exists($usercert)) { + unlink($usercert); + } + if (file_exists($userder)) { + unlink($userder); + } + if (file_exists($userpfx)) { + unlink($userpfx); + } - $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$"; - exec('egrep -v '.escshellarg($regexp)." $tmpfile > $config[index] 2>/dev/null"); + $tmpfile = $configIndex .'.tmp'; + copy($configIndex, $tmpfile); - unlink($tmpfile); - fclose($fd); - + $regexp = "^[VR]\t.*\t.*\t".$serial."\t.*\t.*$"; + exec('egrep -v '.escshellarg($regexp)." $tmpfile > $configIndex 2>/dev/null"); + + unlink($tmpfile); + fclose($fd); } // -// Returns the likely intended use for a specified certificate +// Returns the likely intended use for a specified certificate // (email, server, vpn). // -function CA_cert_type($serial) { +function CA_cert_type($serial) +{ - $certtext = CA_cert_text($serial); + $certtext = CA_cert_text($serial); - #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext) && ereg('Code Signing', $certtest)) { - if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtest)) { - $cert_type = 'email_codesigning'; - } - #if (ereg('OpenSSL.* (E.?mail|Personal) .*Certificate', $certtext)) { - if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) { - $cert_type = 'email'; - } - #elseif (ereg('OpenSSL.* Server .*Certificate', $certtext)) { - elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) { - $cert_type = 'server'; - } - #elseif (ereg('timeStamping|Time Stamping', $certtext)) { - elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) { - $cert_type = 'time_stamping'; - } - #elseif (ereg('TLS Web Client Authentication', $certtext) && ereg('TLS Web Server Authentication', $certtext)) { - elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) { - $cert_type = 'vpn_client_server'; - } - #elseif (ereg('TLS Web Client Authentication', $certtext)) { - elseif (preg_match('~TLS Web Client Authentication~', $certtext)) { - $cert_type = 'vpn_client'; - } - #elseif (ereg('TLS Web Server Authentication', $certtext)) { - elseif (preg_match('~TLS Web Server Authentication~', $certtext)) { - $cert_type = 'vpn_server'; - } - else { - $cert_type = 'vpn_client_server'; - } + if (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext) && preg_match('~Code Signing~', $certtext)) { + $cert_type = 'email_signing'; // Was 'codesigning' but can't see that anywhere + } elseif (preg_match('~OpenSSL.* (E.?mail|Personal) .*Certificate~', $certtext)) { + $cert_type = 'email'; + } elseif (preg_match('~OpenSSL.* Server .*Certificate~', $certtext)) { + $cert_type = 'server'; + } elseif (preg_match('~timeStamping|Time Stamping~', $certtext)) { + $cert_type = 'time_stamping'; + } elseif (preg_match('~TLS Web Client Authentication~', $certtext) && preg_match('~TLS Web Server Authentication~', $certtext)) { + $cert_type = 'vpn_client_server'; + } elseif (preg_match('~TLS Web Client Authentication~', $certtext)) { + $cert_type = 'vpn_client'; + } elseif (preg_match('~TLS Web Server Authentication~', $certtext)) { + $cert_type = 'vpn_server'; + } else { + $cert_type = 'vpn_client_server'; + } - return $cert_type; + return $cert_type; } -?> +function CA_get_root_pem() +{ + global $config; + return(file_get_contents($config['cacert_pem'])); +} diff --git a/root/index.php b/root/index.php deleted file mode 120000 index 42f85a9..0000000 --- a/root/index.php +++ /dev/null @@ -1 +0,0 @@ -readme.php \ No newline at end of file diff --git a/root/index.php b/root/index.php new file mode 100644 index 0000000..42f85a9 --- /dev/null +++ b/root/index.php @@ -0,0 +1 @@ +readme.php \ No newline at end of file diff --git a/root/main.php b/root/main.php index 5b0dc76..5d5eb65 100644 --- a/root/main.php +++ b/root/main.php @@ -4,54 +4,70 @@ include('./config.php'); include(STORE_DIR.'/config/config.php'); include('./include/common.php'); include('./include/my_functions.php'); +include('./include/openssl_functions.php'); $stage = gpvar('stage'); -switch($stage) { +switch ($stage) { + case 'dl_root': + upload($config['cacert_pem'], $config['ca_prefix'] . "cacert.crt", 'application/x-x509-ca-cert'); + break; -case 'dl_root': - upload("$config[cacert_pem]", "$config[ca_prefix]cacert.crt", 'application/x-x509-ca-cert'); - break; + case 'display_root': + printHeader('public'); -case 'dl_crl': - upload("$config[cacrl_der]", "$config[ca_prefix]cacrl.crl", 'application/pkix-crl'); - break; + ?> +

Root Certificate (PEM Encoded)

+

+

+

+ +
+ -
-
-
- - - - - - - - - - - -
PUBLIC CONTENT MENU
- Search for a CertificateFind a digital certificate to download and install in your e-mail or browser application.
- ?stage=dl_root>Download Our Root CertificateYou must install our "Root" certificate before you can use any of the - certificates issued here. Read the online help - to learn more about this.
- ?stage=dl_crl>Download Our Certificate Revocation ListThe official list of certificates revoked by this site. Installation and use of - this list is optional. Some e-mail programs will reference this list automagically. - (Some will need it in PEM format.)
-
-

- +
+
+
+ + + + + + + + + + + + + + + + + + + +
PUBLIC CONTENT MENU
Search for a CertificateFind a digital certificate to download and install in your e-mail or browser application.
?stage=dl_root>Download Our Root Certificate You must install our "Root" certificate before you can use any of the certificates issued here. Read the online help to learn more about this.
?stage=display_root>Display Our Root Certificate (PEM Encoded)This option provides the "Root" certificate PEM encoded text for advanced users to manually install via copy and paste. Read the online help to learn more about this.
?stage=dl_crl>Download Our Certificate Revocation ListThe official list of certificates revoked by this site. Installation and use of this list is optional. Some e-mail programs will reference this list automagically. (Some will need it in PEM format.)
+
+
+
+ + diff --git a/root/ns_revoke_query.php b/root/ns_revoke_query.php index 23acd8e..bd1e2a1 100644 --- a/root/ns_revoke_query.php +++ b/root/ns_revoke_query.php @@ -7,21 +7,26 @@ # # PROTOCOL: # The client should issue an HTTP GET request using a URL that is -# the concatenation of the revocation url and certificate serial +# the concatenation of the revocation url and certificate serial # number. (i.e. http://www.host.dom/phpki/ns_revoke_query.php?10A5F2) # -# The server should return a document of type +# The server should return a document of type # application/x-netscape-revocation containing a single character # '1' if the certificate is revoked, '0' if it is valid. # -include('./config.in.php'); +include('./config.php'); include(STORE_DIR.'/config/config.php'); -$serial = escapeshellcmd(trim($HTTP_SERVER_VARS['QUERY_STRING'])); -header("Content-type: application/x-netscape-revocation"); -$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$"; -if (exec("egrep '$regexp' ca/$config[index]")) - print '1'; -else - print '0'; -?> +$serial = escapeshellcmd(trim($_SERVER['QUERY_STRING'])); +#header("Content-type: application/x-netscape-revocation"); + +# old Reg Ex doesnt work, new should do the work +#$regexp = "^R\t.*\t.*\t$serial\t.*\t.*$"; +$regexp = "^R.*$serial.*$"; +$configIndex = $config['index']; + +if (exec("egrep '$regexp' '$configIndex'")) { + print '1'; +} else { + print '0'; +} diff --git a/root/openssl.cnf b/root/openssl.cnf index a1283f6..cf637c7 100644 --- a/root/openssl.cnf +++ b/root/openssl.cnf @@ -14,7 +14,7 @@ crl_extensions = crl_ext default_days = 365 default_crl_days = 30 preserve = no -default_md = sha1 +default_md = sha256 [ ca ] default_ca = email_cert @@ -147,7 +147,7 @@ issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always [ req ] -default_bits = 1024 +default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_name string_mask = nombstr diff --git a/root/policy.html b/root/policy.html index 47bd506..cf564ff 100644 --- a/root/policy.html +++ b/root/policy.html @@ -1,14 +1,15 @@ + + -Certificate Authority Issuer's Statement + Certificate Authority Issuer's Statement + -

Certificate Authority Issuer's Statement

-

-This is a private Limited Liability certificate authority for use by member -non-profit agencies. -

-Certificate non-repudiation is achieved via identity verification by password -authorized certificate managers from each member agency. +

Certificate Authority Issuer's Statement

+ +

This is a private Limited Liability certificate authority for use by member non-profit agencies.

+ +

Certificate non-repudiation is achieved via identity verification by password authorized certificate managers from each member agency.

diff --git a/root/readme.php b/root/readme.php index 513efe0..9cc1bcf 100644 --- a/root/readme.php +++ b/root/readme.php @@ -7,7 +7,6 @@ include('./include/common.php'); printHeader('setup'); print '

READ ME

'; print '
';
-readfile('./README');
+readfile('./README.md');
 print '
'; printFooter(); -?> diff --git a/root/search.php b/root/search.php index f628bde..45b0b87 100644 --- a/root/search.php +++ b/root/search.php @@ -15,132 +15,137 @@ $show_revoked = gpvar('show_revoked'); $show_expired = gpvar('show_expired'); # Force stage back to search form if search string is empty. -if ($stage == "search" && ! $search) $stage = ""; +if ($stage == "search" && ! $search) { + $stage = ""; +} # Force filter to (V)alid certs if no search status is selected. -if ( !($show_valid.$show_revoked.$show_expired) ) $show_valid = 'V'; +if (!($show_valid.$show_revoked.$show_expired)) { + $show_valid = 'V'; +} switch ($stage) { -case display: - printHeader('about'); + case 'display': + printHeader('about'); - print ' -

Certificate Details

-

(#'.htvar($serial).')
'.htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>').'

'; + print ' +

Certificate Details

+

(#'.htvar($serial).')
'.htvar(CA_cert_cname($serial).' <'.CA_cert_email($serial).'>').'

'; - if ($revoke_date = CAdb_is_revoked($serial)) - print '

REVOKED '.htvar($revoke_date).'

'; + if ($revoke_date = CAdb_is_revoked($serial)) { + print '

REVOKED '.htvar($revoke_date).'

'; + } - print '
'.htvar(CA_cert_text($serial)).'
'; - break; - -case 'download': - $rec = CAdb_get_entry($serial); - upload("$config[cert_dir]/$serial.der", "$rec[common_name].cer", 'application/pkix-cert'); + print '
'.htvar(CA_cert_text($serial)).'
'; break; -case 'download_pem': + case 'download': $rec = CAdb_get_entry($serial); - upload("$config[new_certs_dir]/$serial.pem", "$rec[common_name].pem", 'application/pkix-cert'); + upload($config['cert_dir'] . "/$serial.der", $rec['common_name'] . ".cer", 'application/pkix-cert'); break; -case search: - printHeader('public'); + case 'download_pem': + $rec = CAdb_get_entry($serial); + upload($config['new_certs_dir'] . "/$serial.pem", $rec['common_name'] . ".pem", 'application/pkix-cert'); + break; - $db = CAdb_to_array("^[${show_valid}${show_revoked}${show_expired}].*$search"); + case 'search': + printHeader('public'); - print ''; - if (sizeof($db) == 0) { - ?> -
-

Nothing Found

-
method=post name=form> - - - - - -
-
- '; - print 'CERTIFICATE SEARCH RESULTS'; + print ''; + if (sizeof($db) == 0) { + ?> +
+

Nothing Found

+
+ + + + + +
+
+ '; + print 'CERTIFICATE SEARCH RESULTS'; $headings = array( status=>"Status", issued=>"Issued", expires=>"Expires", common_name=>"User's Name", email=>"E-mail", organization=>"Organization", unit=>"Department", locality=>"Locality", province=>"State" - ); + ); - print ''; - foreach($headings as $field=>$head) { - print ''.htvar($head). ''; + print ''; + foreach ($headings as $field => $head) { + print ''.htvar($head). ''; } - print ''; + print ''; - foreach($db as $rec) { - $stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange'); + foreach ($db as $rec) { + $stcolor = array(Valid=>'green',Revoked=>'red',Expired=>'orange'); - ?> - - - - - - > - - - - - ?stage=display&serial= target=_certdisp>Display - - ?stage=download&serial=>Download - ?stage=download_pem&serial=>Download (in PEM format) - '; - } + ?> + + + + + + + + + + + Display + + Download + Download (in PEM format) + '; + } - ?> - + ?> + -
method=post name=form> - - - - - -
- " method="post" name="form"> + + + + + + + - -

Certificate Search

-
method=post name=search> - -
- >Valid -      >Revoked -     >Expired - -
+ ?> + +

Certificate Search

+
+ +
+ >Valid +      >Revoked +     >Expired + +
-

-
+ diff --git a/root/secure.sh b/root/secure.sh old mode 100755 new mode 100644 index 01e1f62..dec0c79 --- a/root/secure.sh +++ b/root/secure.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#! /bin/bash owner="`id -nu`" @@ -27,15 +27,16 @@ then echo "The file you specified does not yet exist." echo "Let's create it and add your first user." echo - read -p "Enter a user id: " $user_id + read -p "Enter a user id: " user_id - echo "Creating the '$user_id' user account..." - htpasswd -m "$passwd_file" "$user_id" || exit + echo "Creating the $user_id user account..." + + htpasswd -c -m "$passwd_file" "$user_id" || exit echo "Creating the administrator account..." echo "See the README file for more information about the" echo "'pkiadmin' user." - htpasswd -c -m "$passwd_file" 'pkiadmin' || exit + htpasswd -m "$passwd_file" 'pkiadmin' || exit fi echo diff --git a/root/setup.php b/root/setup.php deleted file mode 120000 index 8c56157..0000000 --- a/root/setup.php +++ /dev/null @@ -1 +0,0 @@ -setup.php-presetup \ No newline at end of file diff --git a/root/setup.php b/root/setup.php new file mode 100644 index 0000000..8c56157 --- /dev/null +++ b/root/setup.php @@ -0,0 +1 @@ +setup.php-presetup \ No newline at end of file diff --git a/root/setup.php-presetup b/root/setup.php-presetup index 69ee414..8607e9e 100644 --- a/root/setup.php-presetup +++ b/root/setup.php-presetup @@ -3,29 +3,6 @@ include('./config.php'); include('./include/my_functions.php'); include('./include/common.php'); -function flush_exec($command, $line_length=200) { - $handle = popen("$command 2>&1",'r'); - - $line = ''; - while (! feof($handle)) { - $chr = fread($handle, 1); - $line .= $chr; - if ($chr == "\n") { - print str_replace("\n", "
\n", $line); - $line = ''; - flush(); - } - elseif (strlen($line) > $line_length) { - print $line."
\n"; - $line = ''; - flush(); - } - } - print $line."
\n"; - flush; - return; -} - $version = PHPKI_VERSION; # Who does the webserver run as (apache,www-data,etc)? @@ -54,6 +31,14 @@ $passwdv = gpvar('passwdv'); $expiry = gpvar('expiry'); $keysize = gpvar('keysize'); $base_url = gpvar('base_url'); +$crl_distrib = gpvar('crl_distrib'); +$revoke_url = gpvar('revoke_url'); +$policy_url = gpvar('policy_url'); +$comment_root = gpvar('comment_root'); +$comment_email = gpvar('comment_email'); +$comment_sign = gpvar('comment_sign'); +$comment_srv = gpvar('comment_srv'); +$comment_stamp = gpvar('comment_stamp'); $openssl_bin = gpvar('openssl_bin'); $passwd_file = gpvar('passwd_file'); $getting_help = gpvar('getting_help'); @@ -61,7 +46,9 @@ $ca_prefix = gpvar('ca_prefix'); $header_title = gpvar('header_title'); $store_dir = gpvar('store_dir'); -if ($base_url && substr($base_url,-1) != '/') $base_url .= '/'; +if ($base_url && substr($base_url, -1) != '/') { + $base_url .= '/'; +} $hidden_fields = ' @@ -76,6 +63,14 @@ $hidden_fields = ' + + + + + + + + @@ -85,150 +80,226 @@ $hidden_fields = ' '; switch ($stage) { -case 'validate': - $er = ''; + case 'validate': + $er = ''; + if (! $country) { + $er .= 'Missing Country
'; + } + if (! $province) { + $er .= 'Missing State/Province
'; + } + if (! $locality) { + $er .= 'Missing Locality
'; + } + if (! $organization) { + $er .= 'Missing Organization
'; + } + if (! $unit) { + $er .= 'Missing Unit/Department
'; + } + if (! $contact) { + $er .= 'Missing Contact E-mail Address
'; + } + if (! $common_name) { + $er .= 'Missing Common Name
'; + } + if (! $passwd) { + $er .= 'Missing Certificate Password
'; + } + if (! $passwdv) { + $er .= 'Missing Certificate Password Verification "Again"
'; + } + if (! $header_title) { + $er .= 'Missing Header Title
'; + } + if (! $passwd_file) { + $er .= 'Missing User Password File Location'; + } + if (! $store_dir) { + $er .= 'Missing Storage Directory
'; + } - if (! $country) $er .= 'Missing Country
'; - if (! $province) $er .= 'Missing State/Province
'; - if (! $locality) $er .= 'Missing Locality
'; - if (! $organization) $er .= 'Missing Organization
'; - if (! $unit) $er .= 'Missing Unit/Department
'; - if (! $contact) $er .= 'Missing Contact E-mail Address
'; - if (! $common_name) $er .= 'Missing Common Name
'; - if (! $passwd) $er .= 'Missing Certificate Password
'; - if (! $passwdv) $er .= 'Missing Certificate Password Verification "Again"
'; - if (! $header_title) $er .= 'Missing Header Title
'; - if (! $passwd_file) $er .= 'Missing User Password File Location'; - if (! $store_dir) $er .= 'Missing Storage Directory
'; + $countrycode = strtoupper($country); - $countrycode = strtoupper($country); + if (! preg_match("/\b[A-Z][A-Z]\b/", $countrycode, $match)) { + $er .= 'Country Code must be ISO 3166 two letters
'; + } - if (! preg_match("/\b[A-Z][A-Z]\b/", $countrycode, $match) ) { - $er .= 'Country Code must be ISO 3166 two letters
'; - } + if ($passwd && strlen($passwd) < 8) { + $er .= 'Certificate password is too short.
'; + } - if ( $passwd && strlen($passwd) < 8 ) - $er .= 'Certificate password is too short.
'; + if ($passwd and $passwd != $passwdv) { + $er .= 'Password and password verification do not match.
'; + } - if ( $passwd and $passwd != $passwdv ) - $er .= 'Password and password verification do not match.
'; - - if ( $email && ! is_email($contact) ) + if ($contact && ! is_email($contact)) { $er .= 'E-mail address ('. htvar($contact) . ') may be invalid.
'; + } - if (strpos($store_dir,$_SERVER['DOCUMENT_ROOT']) === 0) - $er .= 'Store directory must exist somewhere outside of DOCUMENT_ROOT ('.$_SERVER['DOCUMENT_ROOT'].').
'; + // reetp this was the wrong way round - swapped + // strpos ($haystack, $needle) + if (strpos($_SERVER['DOCUMENT_ROOT'], $store_dir) === 0) { + $er .= 'Store directory ('.$store_dir.') must exist somewhere outside of DOCUMENT_ROOT ('.$_SERVER['DOCUMENT_ROOT'].').
'; + } - if (strpos($store_dir,dirname($_SERVER['SCRIPT_FILENAME'])) === 0) - $er .= 'Store directory cannot exist within the PHPki installation directory ('.dirname($_SERVER['SCRIPT_FILENAME']).').
'; + // reetp this was the wrong way round - swapped + // strpos ($haystack, $needle) + if (strpos(dirname($_SERVER['SCRIPT_FILENAME']), $store_dir) === 0) { + $er .= 'Store directory ('.$store_dir.') cannot exist within the PHPki installation directory ('.dirname($_SERVER['SCRIPT_FILENAME']).').
'; + } - if (! $er) { - if (! file_exists($store_dir) ) { - if ( ! mkdir("$store_dir",$store_perms)) $er .= "Could not create the store directory \"$store_dir\"
"; - } + if (! $er) { + if (! file_exists($store_dir)) { + if (! mkdir("$store_dir", $store_perms)) { + $er .= "Could not create the store directory \"$store_dir\"
"; + } + } - if (file_exists($store_dir)) { - if (! chmod($store_dir, $store_perms)) $er .= "Could not change permissions on the store directory \"$store_dir\"
"; - if (! is_readable($store_dir)) $er .= "The store directory \"$store_dir\" is not readable by the web server user \"$uname\"
"; - if (! is_writeable($store_dir)) $er .= "The store directory \"$store_dir\: is not writeable by the web server user \"$uname\"
"; - } - else { - $er .= "Store directory \"$store_dir\" does not exist. You will have to manually create it as desribed in the setup form.
"; - } - } + if (file_exists($store_dir)) { + if (! chmod($store_dir, $store_perms)) { + $er .= "Could not change permissions on the store directory \"$store_dir\"
"; + } + if (! is_readable($store_dir)) { + $er .= "The store directory \"$store_dir\" is not readable by the web server user \"$uname\"
"; + } + if (! is_writeable($store_dir)) { + $er .= "The store directory \"$store_dir\: is not writable by the web server user \"$uname\"
"; + } + } else { + $er .= "Store directory \"$store_dir\" does not exist. You will have to manually create it as described in the setup form.
"; + } + } - if ( $er ) + if ($er) { $er = '

ERROR(S) IN FORM:

' . $er . '

'; + } - if ($er) { + if ($er) { printHeader('setup'); ?> -
+ - +
- "; printFooter(); break; - } + } + + // Here we have "if (not $er)" then fall through to case 'write' + // It's pretty crappy coding TBH -case 'write': - - printHeader('about'); + case 'write': + printHeader('about'); - # - #Create the file store directory structure. - # + # + #Create the file store directory structure. + # - print 'Creating PHPki file store...
'; - flush(); + print 'Creating PHPki file store...
'; + flush(); - if (! file_exists("$store_dir/config")) mkdir("$store_dir/config",$store_perms); - if (! file_exists("$store_dir/tmp")) mkdir("$store_dir/tmp",$store_perms); - if (! file_exists("$store_dir/CA")) mkdir("$store_dir/CA",$store_perms); - if (! file_exists("$store_dir/CA/certs")) mkdir("$store_dir/CA/certs",$store_perms); - if (! file_exists("$store_dir/CA/private")) mkdir("$store_dir/CA/private",$store_perms); - if (! file_exists("$store_dir/CA/newcerts")) mkdir("$store_dir/CA/newcerts",$store_perms); - if (! file_exists("$store_dir/CA/requests")) mkdir("$store_dir/CA/requests",$store_perms); - if (! file_exists("$store_dir/CA/crl")) mkdir("$store_dir/CA/crl",$store_perms); - if (! file_exists("$store_dir/CA/pfx")) mkdir("$store_dir/CA/pfx",$store_perms); + if (! file_exists("$store_dir/config")) { + mkdir("$store_dir/config", $store_perms); + } + if (! file_exists("$store_dir/tmp")) { + mkdir("$store_dir/tmp", $store_perms); + } + if (! file_exists("$store_dir/CA")) { + mkdir("$store_dir/CA", $store_perms); + } + if (! file_exists("$store_dir/CA/certs")) { + mkdir("$store_dir/CA/certs", $store_perms); + } + if (! file_exists("$store_dir/CA/private")) { + mkdir("$store_dir/CA/private", $store_perms); + } + if (! file_exists("$store_dir/CA/newcerts")) { + mkdir("$store_dir/CA/newcerts", $store_perms); + } + if (! file_exists("$store_dir/CA/requests")) { + mkdir("$store_dir/CA/requests", $store_perms); + } + if (! file_exists("$store_dir/CA/crl")) { + mkdir("$store_dir/CA/crl", $store_perms); + } + if (! file_exists("$store_dir/CA/pfx")) { + mkdir("$store_dir/CA/pfx", $store_perms); + } - # - # Create the PHPki CA configuration. - # - print 'Writing configuration files...
'; - flush(); + # + # Create the PHPki CA configuration. + # + print 'Writing configuration files...
'; + flush(); - $config_txt = << EOS; - # - # Write out the CA configuration file. - # - $fd = fopen("$store_dir/config/config.php",'w'); - fwrite($fd, $config_txt); - fclose($fd); + # + # Write out the CA configuration file. + # + $fd = fopen("$store_dir/config/config.php", 'w'); + fwrite($fd, $config_main_txt); + fclose($fd); - # - # Create the bootstrap configuration - # - $config_txt = << EOS; - # - # Write out the bootstrap config - # - $fd = fopen('./config.php','w'); - fwrite($fd, $config_txt); - fclose($fd); + # + # Write out the bootstrap config + # + $fd = fopen('./config.php', 'w'); + fwrite($fd, $config_boot_txt); + fclose($fd); - # Re-read the CA config file so the openssl_functions - # can be used to create a CA root certificate. - include("$store_dir/config/config.php"); + # Re-read the CA config file so the openssl_functions + # can be used to create a CA root certificate. + include("$store_dir/config/config.php"); - # - # Now create a temporary openssl.cnf for creating a self-signed - # CA root certificate, and create a generic openssl.cnf file - # in the CA home - # - $config_txt1 = <<< EOS -HOME = $config[home_dir] -RANDFILE = $config[random] -dir = $config[ca_dir] -certs = $config[cert_dir] -crl_dir = $config[crl_dir] -database = $config[index] -new_certs_dir = $config[new_certs_dir] -private_dir = $config[private_dir] -serial = $config[serial] -certificate = $config[cacert_pem] -crl = $config[cacrl_pem] -private_key = $config[cakey] -crl_extensions = crl_ext -default_days = 365 -default_crl_days = 30 -preserve = no -default_md = sha1 + # + # Now create a temporary openssl.cnf for creating a self-signed + # CA root certificate, and create a generic openssl.cnf file + # in the CA home + # + + $configHOME = $config['home_dir']; + $configRANDFILE = $config['random']; + $configCa_dir = $config['ca_dir']; + $configCert_dir = $config['cert_dir']; + $configCrl_dir = $config['crl_dir']; + $configDatabase = $config['index']; + $configNew_certs_dir = $config['new_certs_dir']; + $configPrivate_dir = $config['private_dir']; + $configSerial = $config['serial']; + $configCacert_pem = $config['cacert_pem']; + $configCacrl_pem = $config['cacrl_pem']; + $configCakey = $config['cakey']; + $configDefault_md = $config['default_md']; + $configBase_url = $config['base_url']; + $configCrl_dist = $config['crl_distrib']; + $configComment_root = $config['comment_root']; + $configPolicy_url = $config['policy_url']; + $configRevoke_url = $config['revoke_url']; + $configComment_email = $config['comment_email']; + $configComment_sign = $config['comment_sign']; + $configComment_srv = $config['comment_srv']; + + + $config_txt1 = " + +HOME = $configHOME +RANDFILE = $configRANDFILE +dir = $configCa_dir +certs = $configCert_dir +crl_dir = $configCrl_dir +database = $configDatabase +new_certs_dir = $configNew_certs_dir +private_dir = $configPrivate_dir +serial = $configSerial +certificate = $configCacert_pem +crl = $configCacrl_pem +private_key = $configCakey +crl_extentions = crl_ext +default_days = 365 +default_crl_days = 30 +preserve = no +default_md = $configDefault_md [ ca ] -default_ca = email_cert +default_ca = email_cert [ root_cert ] -x509_extensions = root_ext -default_days = 3650 -policy = policy_supplied +x509_extensions = root_ext +default_days = 3650 +policy = policy_supplied [ email_cert ] -x509_extensions = email_ext -default_days = 365 -policy = policy_supplied +x509_extensions = email_ext +default_days = 365 +policy = policy_supplied [ email_signing_cert ] -x509_extensions = email_signing_ext -default_days = 365 -policy = policy_supplied +x509_extensions = email_signing_ext +default_days = 365 +policy = policy_supplied [ server_cert ] -x509_extensions = server_ext -default_days = 365 -policy = policy_supplied +x509_extensions = server_ext +default_days = 365 +policy = policy_supplied [ vpn_cert ] -x509_extensions = vpn_client_server_ext -default_days = 365 -policy = policy_supplied +x509_extensions = vpn_client_server_ext +default_days = 365 +policy = policy_supplied [ time_stamping_cert ] -x509_extensions = time_stamping_ext -default_days = 365 -policy = policy_supplied +x509_extensions = time_stamping_ext +default_days = 365 +policy = policy_supplied [ policy_supplied ] -countryName = supplied -stateOrProvinceName = supplied -localityName = supplied -organizationName = supplied -organizationalUnitName = supplied -commonName = supplied -emailAddress = supplied +countryName = supplied +stateOrProvinceName = supplied +localityName = supplied +organizationName = supplied +organizationalUnitName = supplied +commonName = supplied +emailAddress = supplied [ root_ext ] -basicConstraints = CA:true -keyUsage = cRLSign, keyCertSign -nsCertType = sslCA, emailCA, objCA -subjectKeyIdentifier = hash -subjectAltName = email:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Root Certificate Authority" -#nsCaRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +basicConstraints = CA:true +keyUsage = cRLSign, keyCertSign +nsCertType = sslCA, emailCA, objCA +subjectKeyIdentifier = hash +subjectAltName = email:copy +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_root +#nsCaRevocationUrl = +nsCaPolicyUrl = $configBase_url$configPolicy_url [ email_ext ] -basicConstraints = critical, CA:false -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = critical, emailProtection, clientAuth -nsCertType = critical, client, email -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = email:copy -issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Personal Certificate" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -#nsRenewalUrl = -nsCaPolicyUrl = $config[base_url]policy.html -#nsSslServerName = +basicConstraints = critical, CA:false +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = critical, emailProtection, clientAuth +nsCertType = critical, client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_email +nsBaseUrl = $configBase_url +nsRevocationUrl = $configRevoke_url +#nsRenewalUrl = +nsCaPolicyUrl = $configBase_url$configPolicy_url +#nsSslServerName = [ email_signing_ext ] -basicConstraints = critical, CA:false -keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning -nsCertType = critical, client, email -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = email:copy -issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Personal Certificate" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -#nsRenewalUrl = -nsCaPolicyUrl = $config[base_url]policy.html -#nsSslServerName = +basicConstraints = critical, CA:false +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = critical, emailProtection, clientAuth, codeSigning +nsCertType = critical, client, email +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_sign +nsBaseUrl = $configBase_url +nsRevocationUrl = $configRevoke_url +#nsRenewalUrl = +nsCaPolicyUrl = $configBase_url$configPolicy_url +#nsSslServerName = [ server_ext ] -basicConstraints = CA:false -keyUsage = critical, digitalSignature, keyEncipherment -nsCertType = critical, server -extendedKeyUsage = critical, serverAuth, 1.3.6.1.5.5.7.3.1 -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy -issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = "PHPki/OpenSSL Generated Secure Server Certificate" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, keyEncipherment +nsCertType = server +extendedKeyUsage = critical, serverAuth +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = $server_altnames +issuerAltName = issuer:copy +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $configComment_srv +nsBaseUrl = $configBase_url +nsRevocationUrl = $configRevoke_url +nsCaPolicyUrl = $configBase_url$configPolicy_url [ time_stamping_ext ] -basicConstraints = CA:false -keyUsage = critical, nonRepudiation, digitalSignature -extendedKeyUsage = timeStamping -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy -issuerAltName = issuer:copy -crlDistributionPoints = URI:$config[base_url]index.php?stage=dl_crl -nsComment = \"PHPki/OpenSSL Generated Time Stamping Certificate\" -nsBaseUrl = $config[base_url] -nsRevocationUrl = ns_revoke_query.php? -nsCaPolicyUrl = $config[base_url]policy.html - +basicConstraints = CA:false +keyUsage = critical, nonRepudiation, digitalSignature +extendedKeyUsage = timeStamping +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy +issuerAltName = issuer:copy +crlDistributionPoints = URI:$configBase_url$configCrl_dist +nsComment = $config[comment_stamp] +nsBaseUrl = $configBase_url +nsRevocationUrl = $configRevoke_url +nsCaPolicyUrl = $configBase_url$configPolicy_url [ vpn_client_ext ] -basicConstraints = critical, CA:false -keyUsage = critical, digitalSignature -extendedKeyUsage = critical, clientAuth -nsCertType = critical, client -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature +extendedKeyUsage = critical, clientAuth +nsCertType = critical, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy [ vpn_server_ext ] -basicConstraints = critical, CA:false -keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = critical, serverAuth -nsCertType = critical, server -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth +nsCertType = critical, server +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy [ vpn_client_server_ext ] -basicConstraints = critical, CA:false -keyUsage = critical, digitalSignature, keyEncipherment -extendedKeyUsage = critical, serverAuth, clientAuth -nsCertType = critical, server, client -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid:always, issuer:always -subjectAltName = DNS:$common_name,email:copy +basicConstraints = critical, CA:false +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = critical, serverAuth, clientAuth +nsCertType = critical, server, client +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +subjectAltName = DNS:$common_name,email:copy [ crl_ext ] issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always +"; -EOS; - - $config_txt2 = <<< EOS + $config_txt2 = <<< EOS [ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_name -string_mask = nombstr -req_extensions = req_ext +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_name +string_mask = nombstr +req_extensions = req_ext [ req_name] -countryName = Country Name (2 letter code) -countryName_default = US -countryName_min = 2 -countryName_max = 2 +countryName = Country Name (2 letter code) +countryName_default = US +countryName_min = 2 +countryName_max = 2 -stateOrProvinceName = State or Province Name (full name) -stateOrProvinceName_default = +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = -localityName = Locality Name (eg, city) -localityName_default = +localityName = Locality Name (eg, city) +localityName_default = -0.organizationName = Organization Name (eg, company) -0.organizationName_default = +0.organizationName = Organization Name (eg, company) +0.organizationName_default = -1.organizationName = Second Organization Name (eg, company) -1.organizationName_default = +1.organizationName = Second Organization Name (eg, company) +1.organizationName_default = -organizationalUnitName = Organizational Unit Name (eg, section) -organizationalUnitName_default = +organizationalUnitName = Organizational Unit Name (eg, section) +organizationalUnitName_default = -commonName = Common Name (eg, YOUR name) +commonName = Common Name (eg, YOUR name) -emailAddress = Email Address or Web URL +emailAddress = Email Address or Web URL [ req_ext ] basicConstraints = critical, CA:false @@ -511,23 +609,31 @@ basicConstraints = critical, CA:false EOS; - $config_txt3 = <<< EOS + $configCountry = $config['country']; + $configProvince = $config['province']; + $configLocality = $config['locality']; + $configOrganization = $config['organization']; + $configUnit = $config['unit']; + $configCommon_name = $config['common_name']; + $configEmailaddress = $config['contact']; + + $config_txt3 = <<< EOS [ req ] -default_bits = 1024 -default_keyfile = privkey.pem -distinguished_name = req_name -string_mask = nombstr -req_extensions = req_ext -prompt = no +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_name +string_mask = nombstr +req_extensions = req_ext +prompt = no [ req_name ] -C = $config[country] -ST = $config[province] -L = $config[locality] -O = $config[organization] -OU = $config[unit] -CN = $config[common_name] -emailAddress = $config[contact] +C = $configCountry +ST = $configProvince +L = $configLocality +O = $configOrganization +OU = $configUnit +CN = $configCommon_name +emailAddress = $configEmailaddress [ req_ext ] basicConstraints = critical, CA:true @@ -535,141 +641,229 @@ basicConstraints = critical, CA:true EOS; - # - # Write the permanent OpenSSL config - # - $fd = fopen($config['openssl_cnf'],'w'); - fwrite($fd, $config_txt1 . $config_txt2); - fclose($fd); - - # - # Write the temporary OpenSSL config - # - $tmp_cnf = "$config[home_dir]/tmp/openssl.cnf"; - $fd = fopen($tmp_cnf,'w'); - fwrite($fd, $config_txt1 . $config_txt3); - fclose($fd); - - # - # Intialize index.txt and serial files - # - $fd = fopen($config['index'],'w'); - fwrite($fd, ""); - fclose($fd); - # - $fd = fopen($config['serial'],'w'); - fwrite($fd, "100001"); - fclose($fd); - - # - # Convert expiry years to approximate days. - # - $days = $config['expiry'] * 365.25; - - - # - # Create a new self-signed CA certificate in PEM format. - # - print 'Creating root certificate...
'; - flush(); - - exec(REQ . " -x509 -config $tmp_cnf -extensions root_ext -newkey rsa:$keysize -keyout $config[cakey] -out $config[cacert_pem] -passout pass:'$config[ca_pwd]' -days $days 2>&1"); - - # **** DISABLED ***** - # It appears that both IE and Netscape accept PEM formatted root certificates - # - # Create a copy of the CA certificate in DER format. - # - #exec(X509 . " -in ca/$config[cacert_pem] -inform PEM -out ca/$config[cacert_der] -outform DER 2>&1"); - - # - # Generate the initial CRL. - # - print 'Generating certificate revocation list...
'; - flush(); - exec(CA . " -gencrl -config $config[openssl_cnf] -out $config[cacrl_pem] -passin pass:'$config[ca_pwd]'"); - - # Make a copy of the CRL in DER format. - # - exec(CRL . " -in $config[cacrl_pem] -out $config[cacrl_der] -inform PEM -outform DER"); - - # - # Clean up. - # - if (! unlink("$store_dir/tmp/openssl.cnf")) print "Can't unlink $store_dir/tmp/openssl.cnf"; - - - # - # Create dhparam files for OpenVPN and others. - # - print '

Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.
'; - print "Saving to $store_dir/dhparam1024.pem.
"; - $cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024"; - print $cmd.'
'; - flush(); - flush_exec($cmd,100); - - # - # Create a TLS auth key for OpenVPN. # + # Write the permanent OpenSSL config + # + $fd = fopen($config['openssl_cnf'], 'w'); + fwrite($fd, $config_txt1 . $config_txt2); + fclose($fd); - print '

Creating a TLS authentication key used by OpenVPN.
'; - print "Saving to $store_dir/takey.pem.
"; - $cmd = "openvpn --genkey --secret '$config[private_dir]/takey.pem'"; - print $cmd.'
'; + # + # Write the temporary OpenSSL config + # + $configHome_dir = $config['home_dir']; + $tmp_cnf = "$configHome_dir/tmp/openssl.cnf"; + $fd = fopen($tmp_cnf, 'w'); + fwrite($fd, $config_txt1 . $config_txt3); + fclose($fd); + + # + # Initialize index.txt and serial files + # + $fd = fopen($config['index'], 'w'); + fwrite($fd, ""); + fclose($fd); + # + $fd = fopen($config['serial'], 'w'); + fwrite($fd, "100001"); + fclose($fd); + + # + # Convert expiry years to approximate days. + # + $days = $config['expiry'] * 365.25; + + # + # Create a new self-signed CA certificate in PEM format. + # + print 'Creating root certificate... '. $keysize .' bits
'; flush(); - flush_exec($cmd); + + $configOpenssl_cnf = $config['openssl_cnf']; + $configPrivate_dir = $config['private_dir']; + $configCacert_pem = $config['cacert_pem']; + $configCa_pwd = $config['ca_pwd']; + $configCakey = $config['cakey']; + $configRandom = $config['random']; + $configCacrl_der = $config['cacrl_der']; + $configCacrl_pem = $config['cacrl_pem']; + + // .rnd created here + exec(REQ . " -x509 -config $tmp_cnf -extensions root_ext -newkey rsa:$keysize -keyout $configCakey -out $configCacert_pem -passout pass:'$configCa_pwd' -days $days 2>&1"); + + # **** DISABLED ***** + # It appears that both IE and Netscape accept PEM formatted root certificates + # + # Create a copy of the CA certificate in DER format. + # + #exec(X509 . " -in ca/$config[cacert_pem] -inform PEM -out ca/$config[cacert_der] -outform DER 2>&1"); + + # + # Generate the initial CRL. + # + print 'Generating certificate revocation list...
'; + flush(); + exec(CA . " -gencrl -config $configOpenssl_cnf -out $configCacrl_pem -passin pass:'$configCa_pwd'"); + + # Make a copy of the CRL in DER format. + # + exec(CRL . " -in $configCacrl_pem -out $configCarcrl_der -inform PEM -outform DER"); + + # + # Clean up. + # + if (! unlink("$store_dir/tmp/openssl.cnf")) { + print "Can't unlink $store_dir/tmp/openssl.cnf"; + } + + # + # Create dhparam files for OpenVPN and others. + # + #print '

Creating 1024 bit Diffie-Hellman parameters used by OpenVPN.
'; + #print "Saving to $config[private_dir]/dhparam1024.pem.
"; + #$cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024"; + #print $cmd.'
'; + #flush(); + #flush_exec($cmd,100); + + #print "Please ignore warnings about \"unable to write 'random state\'

"; + + // This method works but still errors in logs + // exec(DH . "-rand '$config[random]' -out '$config[private_dir]/dhparam1024.pem' 1024"); + // exec(DH . " -out '$config[private_dir]/dhparam1024.pem' 1024"); + + print '

Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
'; + print "Saving to $store_dir/dhparam2048.pem.
"; + $cmd = "openssl dhparam -rand '$configRandom' -out '$configPrivate_dir/dhparam2048.pem' 2048"; + print $cmd.'
'; + flush(); + flush_exec($cmd, 200); + + print "Please ignore warnings about \"unable to write 'random state'

"; + + # + # Create a TLS auth key for OpenVPN if openvpn is installed + # + $command = 'which openvpn'; + $command = escapeshellcmd($command); + + if (system($command) == '/usr/sbin/openvpn') { + print '

Creating a TLS authentication key used by OpenVPN.
'; + print "Saving to $store_dir/takey.pem.
"; + $cmd = "openvpn --genkey --secret '$configPrivate_dir/takey.pem'"; + print $cmd.'
'; + flush(); + flush_exec($cmd); + } else { + echo "openvpn is required to generate a takey.pem
"; + echo "You can create one later like this:
"; + echo "openvpn --genkey --secret ". $configPrivate_dir . "/takey.pem
"; + } - #print '

Creating 2048 bit Diffie-Hellman parameters used by OpenVPN.
'; - #print "Saving to $store_dir/dhparam2048.pem.
"; - #$cmd = "openssl dhparam -rand '$config[random]' -out '$config[private_dir]/dhparam2048.pem' 2048"; - #print $cmd.'
'; - #flush(); - #flush_exec($cmd,200); - - # - # Step aside and let the users in (create index.php files). - # - if (! unlink('index.php')) print "Can't unlink index.php"; - if (! unlink('setup.php')) print "Can't unlink setup.php";; - if (! unlink('ca/index.php')) print "Can't unlink ca/index.php"; - if (! symlink('main.php','index.php')) print "Can't symlink main.php"; - if (! symlink('main.php','ca/index.php')) print "Can't symlink ca/main.php";; - ?> -

-

Setup is complete. Your CA root certificate as been created.

-



- - -

-
- +
+

Setup is complete. Your CA root certificate as been created.

+ SECURITY WARNING!   Be sure to run the secure.sh shell script as the root user.'; + } + ?> +



+

+ + +
+
+ '; + exit; - if (! $common_name) $common_name = $config['common_name']; - if (! $common_name) $common_name = "PHPki Certificate Authority"; + default: + if (! $country) { + $country = $config['country']; + } + if (! $province) { + $province = $config['province']; + } + if (! $locality) { + $locality = $config['locality']; + } + if (! $organization) { + $organization = $config['organization']; + } + if (! $contact) { + $contact = $config['contact']; + } + if (! $expiry) { + $expiry = $config['expiry']; + } + if (! $expiry) { + $expiry = 10; + } + if (! $keysize) { + $keysize = $config['keysize']; + } + if (! $keysize) { + $keysize = 2048; + } + if (! $passwd) { + $passwd = $config['ca_pwd']; + } + if (! $passwdv) { + $passwdv = $passwd; + } - if (! $getting_help) $getting_help = $config['getting_help']; - if (! $getting_help) $getting_help = ' + if (! $unit) { + $unit = $config['unit']; + } + if (! $unit) { + $unit = "Certificate Authority"; + } + + if (! $common_name) { + $common_name = $config['common_name']; + } + if (! $common_name) { + $common_name = "PHPki Certificate Authority"; + } + + if (! $getting_help) { + $getting_help = $config['getting_help']; + } + if (! $getting_help) { + $getting_help = ' Contact:
First-Name Last-Name
Company/Organization Name
@@ -679,221 +873,368 @@ City, State, ZipCode

Phone: (000) 000-0000
E-mail: someone@somewhere.com   E-mail is preferred.
'; - - if (! $store_dir) $store_dir = dirname($_SERVER['DOCUMENT_ROOT']).'/phpki-store'; - - if (! $base_url) $base_url = $config['base_url']; - if (! $base_url) $base_url = 'http://www.somewhere.com/phpki/'; - - if (! $ca_prefix) $ca_prefix = $config['ca_prefix']; - - if (! $openssl_bin) $openssl_bin = $config['openssl_bin']; - if (! $openssl_bin) $openssl_bin = '/usr/bin/openssl'; - - if (! $passwd_file) $passwd_file = $config['passwd_file']; - if (! $passwd_file) $passwd_file = dirname($_SERVER['DOCUMENT_ROOT']).'/phpkipasswd'; - - if (! $header_title) $header_title = $config['header_title']; - if (! $header_title) $header_title = 'Certificate Authority'; - - printHeader('setup'); - ?> -
method=post> -

Certificate Authority Initial Setup

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + if (! $base_url) { + $base_url = $config['base_url']; + } + if (! $base_url) { + $base_url = 'http://www.somewhere.com/phpki/'; + } - - - - + if (! $crl_distrib) { + $crl_distrib = 'index.php?stage=dl_crl'; + } + if (! $revoke_url) { + $revoke_url = 'ns_revoke_query.php?'; + } + if (! $policy_url) { + $policy_url = 'policy.html'; + } -

Root Certificate Data

Organization *
Department/Unit *
- Common Name * - This is embeded in certificates, and is most often displayed in - e-mail clients as the Issued By: text. This is usually - the full name of your certificate authority (i.e. ACME Certificate Authority). -
- Technical Contact E-mail Address *
- Enter an e-mail address where users should send correspondence - regarding your certificate authority and the certificates you issue. -
Locality *
State/Province *
Country *
- Password *
- This password will be used to protect your root certificate private - key. Do not lose or forget this password. - 		   Again
- Certificate Life *
- Enter the number of years you wish your root certificate to be valid. -
- Key Size *
- Enter the size of your certificate key. -
- Certificate Authority Base URL
- Enter the public Web address where your Certificate Authority will - reside. The address should end with a trailing slash (/) character. - This address will be embeded in all certficates issued - by your CA, for informational purposes. - 		- -
+ if (! $comment_root) { + $comment_root = 'PHPki/OpenSSL Generated Root Certificate Authority'; + } + if (! $comment_email) { + $comment_email = 'PHPki/OpenSSL Generated Personal Certificate'; + } + if (! $comment_sign) { + $comment_sign = 'PHPki/OpenSSL Generated Personal Certificate'; + } + if (! $comment_srv) { + $comment_srv = 'PHPki/OpenSSL Generated Secure Server Certificate'; + } + if (! $comment_stamp) { + $comment_stamp = 'PHPki/OpenSSL Generated Time Stamping Certificate'; + } -

- - - - + if (! $ca_prefix) { + $ca_prefix = $config['ca_prefix']; + } - - - - + if (! $openssl_bin) { + $openssl_bin = $config['openssl_bin']; + } + if (! $openssl_bin) { + $openssl_bin = '/usr/bin/openssl'; + } - - - - + if (! $passwd_file) { + $passwd_file = $config['passwd_file']; + } + if (! $passwd_file) { + $passwd_file = dirname($_SERVER['DOCUMENT_ROOT']).'/phpkipasswd'; + } - - - - + if (! $header_title) { + $header_title = $config['header_title']; + } + if (! $header_title) { + $header_title = 'Certificate Authority'; + } - - - - + printHeader('setup'); + ?> + +

Certificate Authority Initial Setup

+

Configuration Options

- Storage Directory *
- Enter the location where PHPki will store its files. This should be a directory where - the web server has full read/write access (chown ; chmod 700), and is preferably - outside of DOCUMENT_ROOT (). You may have to manually create the directory before completing this form. - 		- -
- Location of OpenSSL Executable *
- Enter the location of your OpenSSL binary. The default is usually ok. - 		- -
- Location of HTTP password file *
- Enter the location of your PHPki user password file. The default is usually ok. - 		- -
- File Upload Prefix
- This is an optional prefix which will be added to root certificate - and certificate revocation list file uploads. Normally the root - certificate is uploaded as caroot.crt. With a prefix like - "acme_", the root certificate would be uploaded as - "acme_caroot.crt". - 		- -
+ + + + + + + + + + + - - - - + + + + - - - - -

Root Certificate Data

* Required field

 
Organization *
- Page Header Title
- This title will be displayed superimposed over the PHPki logo at the - top of every page. - 		- -
Department/Unit *
- Help Document Contact Info
- This text will be inserted into the online help document - under the "Getting Additional Help" section. Include full - contact info for the convenience of your users. Use HTML - tags to improve presentation. - 		- -
- * Required field + + + Common Name * + This is embeded in certificates, and is most often displayed in + e-mail clients as the Issued By: text. This is usually + the full name of your certificate authority (i.e. ACME Certificate Authority). + + + -

-

- -
+ + + Technical Contact E-mail Address *
+ Enter an e-mail address where users should send correspondence + regarding your certificate authority and the certificates you issue. + - + + + + Locality * + + + + + State/Province * + + + + + Country Code ISO 3166 - 2 Characters * + + + + + + Password *
+ This password will be used to protect your root certificate private + key.
Can't contain single quote ! Do not lose or forget this password. + +    Again + + + + + Certificate Life *
+ Enter the number of years you wish your root certificate to be valid. + + + + + + + Key Size *
+ Enter the size of your certificate key. Recommend 2048+ + + + + + + + Certificate Authority Base URL
+ Enter the public Web address where your Certificate Authority will + reside. The address should end with a trailing slash (/) character. + This address will be embeded in all certficates issued + by your CA, for informational purposes. + + + + + + + + + Certificate Authority CRL Distribution Points
+ Provide the public URL where Certificate Revocation List (CRL) of + your CA will reside. This path is relative to Base URL above. + You may leave it by default if your clients have direct access to PHPki. + + + + + + + + + Certificate Authority Revocation Check URL
+ Provide the public URL where clients of your CA can check if the requested + certificate has been revoked. This path is relative to Base URL above. + You may leave it by default if your clients have direct access to PHPki. + + + + + + + + + Certificate Authority Policy URL
+ Provide the public URL where your CA policy will reside. + This path is relative to Base URL above. + You may leave it by default or adjust to your environment. + + + + + + + + + Root Certificate Comment
+ Root certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Email Certificate Comment
+ Email certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Email/Signing Certificate Comment
+ Email and signing certificate Comment attribute. You may change it + to something or use the default value set by PHPki. + + + + + + + + + SSL Server Certificate Comment
+ SSL server certificate Comment attribute. You may change it to something + or use the default value set by PHPki. + + + + + + + + + Time Stamping Certificate Comment
+ Time stamping certificate Comment attribute. You may change it + to something or use the default value set by PHPki. + + + + + + + + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Configuration Options

+ Storage Directory *
+ Enter the location where PHPki will store its files. This should be a directory where + the web server has full read/write access (chown ; chmod 700), and is preferably + outside of DOCUMENT_ROOT (). You may have to manually create the directory before completing this form. + 		+ +
+ Location of OpenSSL Executable *
+ Enter the location of your OpenSSL binary. The default is usually ok. + 		+ +
+ Location of HTTP password file *
+ Enter the location of your PHPki user password file. The default is usually ok. + 		+ +
+ File Upload Prefix
+ This is an optional prefix which will be added to root certificate + and certificate revocation list file uploads. Normally the root + certificate is uploaded as caroot.crt. With a prefix like + "acme_", the root certificate would be uploaded as + "acme_caroot.crt". + 		+ +
+ Page Header Title
+ This title will be displayed superimposed over the PHPki logo at the + top of every page. + 		+ +
+ Help Document Contact Info
+ This text will be inserted into the online help document + under the "Getting Additional Help" section. Include full + contact info for the convenience of your users. Use HTML + tags to improve presentation. + 		+ +
+ + * Required field +

Please click the Submit button ONCE and be patient.
+ This may take a few minutes. Please do not interrupt the process.....
+

+ +

+

+ + +

+ +